Open
Bug 1269142
Opened 8 years ago
Updated 2 years ago
Privilege escalation via shfolder.dll due to unsafe temp directory created by 7-zip extractors
Categories
(Firefox :: Installer, defect, P5)
Tracking
()
NEW
People
(Reporter: stefan.kanthak, Unassigned)
References
Details
(Keywords: sec-moderate)
Attachments
(3 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Firefox/38.0 Build ID: 20160420141331 Steps to reproduce: 0. download "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe"; 1. save attached shfolder.cmd, shfolder.dll and shfolder.exe in arbitrary directory; 2. run shfolder.cmd; 3. execute "Firefox Setup 38.8.0esr.exe" or "Firefox Setup 46.0.exe" and answer UAC prompt. Actual results: Rogue executables "shfolder.dll" and "shfolder.exe" are executed with administrative privileges. Expected results: No UNSAFE subdirectory "7z*.tmp" must be used/created. See https://cwe.mitre.org/data/definitions/379.html for this well-known and well-documented beginner's error! Also see bug 961676 alias CVE-2014-1520
Reporter | ||
Updated•8 years ago
|
OS: Unspecified → Windows
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
Reporter | ||
Comment 3•8 years ago
|
||
Reporter | ||
Comment 4•8 years ago
|
||
Attachment #8747468 -
Attachment is obsolete: true
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Component: Untriaged → Installer
Updated•8 years ago
|
Reporter | ||
Comment 6•8 years ago
|
||
Are you going to fix this beginner's error in your installers before the 45 day period expires? See http://home.arcor.de/skanthak/policy.html
Comment 9•8 years ago
|
||
Note in the example shell script the same bug can be taken advantage of with maintenanceservice.exe and maintenanceservice_installer.exe, but the actual bug is the temp directory.
Comment 10•8 years ago
|
||
Does not meet the bar for our bounty program which is being focused on bugs that can remotely attack Firefox users. This attack assumes the user's machine is already compromised.
Group: firefox-core-security
Flags: sec-bounty? → sec-bounty-
Updated•7 years ago
|
Priority: -- → P5
Updated•2 years ago
|
Severity: normal → S3
Comment 12•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 4 duplicates.
:Amir, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Flags: needinfo?(ahabibi)
Comment 13•2 years ago
|
||
The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.
Flags: needinfo?(ahabibi)
You need to log in
before you can comment on or make changes to this bug.
Description
•