Open Bug 1269142 Opened 8 years ago Updated 2 years ago

Privilege escalation via shfolder.dll due to unsafe temp directory created by 7-zip extractors

Categories

(Firefox :: Installer, defect, P5)

Product:
Firefox
Component:
Installer
Version:
38 Branch
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

People

(Reporter: stefan.kanthak, Unassigned)

References

Details

(Keywords: sec-moderate)

Attachments

(3 files, 1 obsolete file)

shfolder.dll copied by batch script
26.15 KB, application/x-ms-dos-executable
Details
shfolder.exe used by batch script
26.65 KB, application/x-ms-dos-executable
Details
Batch script to copy shfolder.dll/exe to unsafe temporary subdirectoryshfolder.cmd
443 bytes, text/plain
Details 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20160420141331

Steps to reproduce:

0. download "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe";
1. save attached shfolder.cmd, shfolder.dll and shfolder.exe in arbitrary directory;
2. run shfolder.cmd;
3. execute "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe" and answer UAC prompt.



Actual results:

Rogue executables "shfolder.dll" and "shfolder.exe" are executed with administrative privileges.


Expected results:

No UNSAFE subdirectory "7z*.tmp" must be used/created.
See https://cwe.mitre.org/data/definitions/379.html for this well-known and well-documented beginner's error!

Also see bug 961676 alias CVE-2014-1520
OS: Unspecified → Windows

    
    

    
  


  
Flags: sec-bounty?
Component: Untriaged → Installer
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate

    
    

    
  
Are you going to fix this beginner's error in your installers before the 45 day period expires?
See http://home.arcor.de/skanthak/policy.html

    
    

    
  
Note in the example shell script the same bug can be taken advantage of with maintenanceservice.exe and maintenanceservice_installer.exe, but the actual bug is the temp directory.

    
    

    
  
Does not meet the bar for our bounty program which is being focused on bugs that can remotely attack Firefox users. This attack assumes the user's machine is already compromised.
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
Priority: -- → P5

    
  
Severity: normal → S3

    
    

    
  
The severity field for this bug is relatively low, S3. However, the bug has 4 duplicates.

:Amir, could you consider increasing the bug severity?


For more information, please visit auto_nag documentation.


Flags: needinfo?(ahabibi)

    
    

    
  
The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.


Flags: needinfo?(ahabibi)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: