Closed
Bug 1336964
(CVE-2017-7767)
Opened 8 years ago
Closed 8 years ago
Arbitrary file "deletion" as SYSTEM with maintenance service
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: sebbity, Assigned: robert.strong.bugs)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [adv-main54+][adv-esr52.2+][post-critsmash-triage])
Attachments
(1 file)
|
247 bytes,
application/x-ruby
|
Details |
An unprivileged (standard) user can use the maintenance service to overwrite arbitrary files with junk data. There is no control over what is written to the target file, though the absence of the original data effectively "deletes" it.
For example, running the poc with clobber_file.rb "C:\Program Files (x86)\Mozilla Firefox\updater.exe" will lock firefox to the current installed version until an administrator repairs the installation because the existing updater.exe cannot be loaded to be verified.
The root cause seems to be that if GetTempFileNameW in WriteStatusFailure [0] is called with a path like '\\.\c:\foo\clobbered', instead of returning a temporary file like '\\.\c:\foo\clobbered\svc123.tmp', it just returns the input path. WriteStatusFailure then directly writes to the temporary path [1], truncating it's contents with the results of the updater.
WriteStatusFailure can be called with a user-supplied directory in a few places, the easiest way is to put the target in the first argument and not supply enough further arguments to cause GetInstallationDir in ExecuteServiceCommand to fail [2]. This is how the attached clobber_file.rb proof of concept works.
I haven't tested, but I think the calls in UpdaterIsValid would also be able to be purposely failed with an attacker controlled directory for update.status to get written into. Possibly some of the calls after that point as well, but it gets more difficult once the updater directory is verified as legitimate.
I also tested using hardlinks to redirect the update.status file while using a normal file path to trigger the overwrite - this does not seem to be possible as the maintenance service re-creates the file (which deletes the hardlink, rather than the file that is points to).
Tested on Windows 8.1 x64, Firefox 51.0.1 as well as mozilla-central.
[0] - https://dxr.mozilla.org/mozilla-central/rev/1d025ac534a6333a8170a59a95a8a3673d4028ee/toolkit/mozapps/update/common/updatehelper.cpp#276
[1] - https://dxr.mozilla.org/mozilla-central/rev/1d025ac534a6333a8170a59a95a8a3673d4028ee/toolkit/mozapps/update/common/updatehelper.cpp#288
[2] - https://dxr.mozilla.org/mozilla-central/rev/1d025ac534a6333a8170a59a95a8a3673d4028ee/toolkit/components/maintenanceservice/workmonitor.cpp#601
|
Reporter | |
Updated•8 years ago
|
Summary: Arbitrary file "deletion" as _SYSTEM with maintenance service → Arbitrary file "deletion" as SYSTEM with maintenance service
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
||
Updated•8 years ago
|
Keywords: csectype-priv-escalation,
sec-moderate
|
Assignee | |
Comment 1•8 years ago
|
||
Fairly certain that bug 1342742 also fixes this bug.
Matt, I'd like your opinion on whether you agree.
Flags: needinfo?(mhowell)
|
||
Comment 2•8 years ago
|
||
I agree. The path in question is definitely one of the ones that gets verified now, and these examples would fail that verification.
Flags: needinfo?(mhowell)
|
|
Assignee | |
Updated•8 years ago
|
Depends on: CVE-2017-7766
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → robert.strong.bugs
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•8 years ago
|
||
Fixed by bug 1342742
[Tracking Requested - why for this release]:
Added since bug 1342742 is tracking for this release and I am planning on landing for this release.
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → fixed
status-firefox-esr52:
--- → affected
tracking-firefox55:
--- → ?
|
|
Assignee | |
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Group: toolkit-core-security → core-security-release
|
|
Assignee | |
Comment 4•8 years ago
|
||
Bug 1342742 which fixes this bug has been pushed to mozilla-beta and to mozilla-esr52 so setting flags.
Target Milestone: --- → mozilla55
|
|
||
Comment 5•8 years ago
|
||
Rob, is this a distinct issue from bug 1342742 or is the fix for that other bug broad enough that it covered this as well? (Asking for bounty purposes...)
Flags: needinfo?(robert.strong.bugs)
|
|
Assignee | |
Comment 6•8 years ago
|
||
This bug is a distinct issue from bug 1342742 and the fix I went with in bug 1342742 was general enough to fix this bug as well.
Flags: needinfo?(robert.strong.bugs)
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
Reporter | |
Comment 8•8 years ago
|
||
I'm travelling at the moment but should be able to get back to you within the week.
|
|
||
Updated•8 years ago
|
tracking-firefox-esr52:
--- → 54+
Whiteboard: [post-critsmash-triage] → [adv-main54+][adv-esr52.2+][post-critsmash-triage]
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-7767
|
|
Reporter | |
Comment 9•8 years ago
|
||
I tested using the latest nightly 56.0a1 (2017-07-05) and can confirm the poc no longer replaces file contents.
Flags: needinfo?(sebbity)
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•