Closed
Bug 869452
Opened 11 years ago
Closed 11 years ago
unquoted Path used for MozillaMaintenance Service
Categories
(Toolkit :: Application Update, defect)
Toolkit
Application Update
Tracking
()
RESOLVED
DUPLICATE
of bug 854088
People
(Reporter: idiom604, Unassigned)
Details
(Whiteboard: [sg:dupe 854088])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31 Steps to reproduce: The path used to launch the MozillaMaintenance Service "MozillaMaintenance" uses an unquoted string. C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Version: 12.0.0.4493 Actual results: This can allow a local user to elevate privileges and execute code under the LocalSystem account. The windows API will attempt to launch the following: C:\Program.exe C:\Program Files.exe C:\Program Files (x86)\Mozilla.exe C:\Program Files (x86)\Mozilla Maintenance.exe C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Expected results: The service path should use a quoted string to ensure spaces are not treated as delimiters and arbitrary code is not run under the elevated account.
Updated•11 years ago
|
Group: mozilla-services-security → core-security
Component: General → Security
Product: Mozilla Services → Core
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
Component: Security → Application Update
Product: Core → Toolkit
Comment 1•11 years ago
|
||
Kamil, would you like to take a look? Let me know if you'd like help. Thanks.
Flags: needinfo?(kamiljoz)
Comment 2•11 years ago
|
||
The path is quoted as of bug 748764. bbondy, can you confirm?
Comment 3•11 years ago
|
||
Let's hold off on asking kamil, etc. until after bbondy confirms. Thanks
Flags: needinfo?(kamiljoz)
Comment 4•11 years ago
|
||
Hi Sean, this was a past issue with old installers, but it has since been fixed. We also recently created a fix so that upgraded versions will get auto-fixed. Did you just install a fresh build and notice this? Or did you have an older version that's been upgrading for a while? If this later case is your situation then it should be fixed by the work in bug 854088. So this bug would be a dupe of that one.
Thanks Brian, Yeah it's the 2nd scenario. The system has an older version that has been updated for sometime.
Checked with a clean install the path is quoted properly, So this looks like a dupe.
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•10 years ago
|
Group: core-security
Whiteboard: [sg:dupe 854088]
You need to log in
before you can comment on or make changes to this bug.
Description
•