1269123 - Privilege escalation via maintenanceservice.exe due to unsafe temp directory created by 7-zip extractors

Status: RESOLVED DUPLICATE of bug 1269142

(Firefox :: Installer, defect)

Description

[Stefan Kanthak]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20160420141331

Steps to reproduce:

0. download "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe";
1. execute "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe";
2. answer UAC prompt and wait until first dialog is displayed;
3.a start Windows Explorer,
3.b navigate to %TEMP%,
3.c find subdirectory "7z*.tmp" created by Firefox*Setup*.exe and open it,
3.d open subdirectory "core",
3.e overwrite "maintenanceservice.exe" with arbitrary trojan/virus/...
4. continue with Firefox installation, accepting all defaults


Actual results:

Rogue executable "maintenanceservice" (written by unprivileged user) is executed with administrative privileges.


Expected results:

No UNSAFE subdirectory "7z*.tmp" must be used/created.
See https://cwe.mitre.org/data/definitions/379.html for this well-
known and well-documented beginner's error!

Also see bug 961676 alias CVE-2014-1520

Comment 1

[Stefan Kanthak]

Use http://home.arcor.de/skanthak/download/SENTINEL.EXE as "rogue" executable: it displays the process which started it, the command line and the privilege/integrity level.

Comment 2

[Stefan Kanthak]

Are you going to fix this beginner's error in your installers before the 45 day period expires?
See http://home.arcor.de/skanthak/policy.html