Closed
Bug 1342742
(CVE-2017-7766)
Opened 8 years ago
Closed 8 years ago
Arbitrary code execution as SYSTEM using Updater to overwrite updater.ini
Categories
(Toolkit :: Application Update, defect)
Tracking
()
People
(Reporter: sebbity, Assigned: robert.strong.bugs)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-high, Whiteboard: [adv-main54+][adv-esr52.2+])
Attachments
(7 files, 11 obsolete files)
12.17 KB,
application/x-zip-compressed
|
Details | |
31.13 KB,
patch
|
robert.strong.bugs
:
review+
|
Details | Diff | Splinter Review |
52.30 KB,
patch
|
robert.strong.bugs
:
review+
|
Details | Diff | Splinter Review |
31.13 KB,
patch
|
robert.strong.bugs
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
66.70 KB,
patch
|
robert.strong.bugs
:
review+
|
Details | Diff | Splinter Review |
38.04 KB,
patch
|
robert.strong.bugs
:
review+
ritu
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
59.25 KB,
patch
|
robert.strong.bugs
:
review+
|
Details | Diff | Splinter Review |
An unprivileged, standard, Windows user can execute arbitrary code as SYSTEM using the Firefox Updater (via the Maintenance Service).
This is possible by combining two bugs. The first is that the Updater can be tricked into executing an arbitrary PostUpdate file by the updater.ini file after a successful action is performed. The second allows overwrite of any file as SYSTEM with partially attacker controlled data.
We use the overwrite bug to write a new updater.ini, which triggers an install of Firefox into an attacker controlled directory which allows arbitrary code execution via the maintenanceservice_installer.exe binary.
# Reproduction
I've attached a poc + source, to run it you'll need the full update.mar for the current installed version of Firefox [0] (or higher), as well as a full firefox installer [1]. The poc can be run as follows:
firefox_poc.exe payload.exe firefox-51.0.1.complete.mar "Firefox Setup 51.0.1.exe" C:\Program Files (x86)\Mozilla Firefox
The payload.exe is the file to be executed as SYSTEM. The final argument needs to be a legitimate Firefox installation directory, and will default to C:\Program Files(x86)\Mozilla Firefox if not supplied. One of the bugs relies on a small race condition, which has always executed in less than a minute for me but let me know if you have any problems. It will continue trying until it succeeds or you use ctrl+c to kill it.
The included payload.exe just runs "whoami > /foo.txt", which should create a foo.txt file in your drive root with the contents "nt authority\system".
# ExeRelPath in updater.ini allows execution of arbitrary Mozilla binaries using absolute paths
The ExeRelPath entry in the C:\Program Files (x86)\Mozilla Firefox\updater.ini file is executed by the updater after a successful action is made. There are allowances made to prevent directory traversal using '..', however if an absolute file path is provided instead of a filename then PathAppendSafe [2] (which uses PathAppendW) will return the absolute file path instead.
Eg. PathAppendW("C:\Program Files (x86)\Mozilla Firefox", "C:\some\mozilla.exe")
=> "C:\some\mozilla.exe"
The updater will happily execute this file, as long as it is signed by Mozilla with a current certificate. We can use then use these binaries in ways never intended to gain arbitrary code execution.
The avenue used in this proof of concept is to use the Firefox setup.exe to install Firefox into an attacker controlled directory [3], which then executes whatever is in the maintenanceservice_installer.exe file on post-install (in fairness, this would have no practical chance of being intercepted otherwise). I imagine there are similar avenues in other Mozilla signed binaries, however I have not investigated them.
# Arbitrary file overwrite with partial content injection
Soon after the updater starts, updater.cpp [4] calls LogInit, which calls GetTempFileNameW with the attacker-supplied patch directory to get a temp filename for the log file. By providing a file which starts with \\.\, GetTempFileNameW will just copy the input into the output buffer instead of providing a valid temp directory.
Eg. GetTempFileNameW("\\.\c:\target\file.txt", L"log", 0, mTmpFilePath)
=> mTmpFilePath = "\\.\c:\target\file.txt"
Since it is essentially a normal file path, the log file will happily truncate and write to this file.
We can insert up to 260 characters at some point in the file using the fact that the working directory argument gets logged in updater.cpp [5]. The resulting file ends up looking something like the following (ABC's are user supplied):
Performing a replace request
PATCH DIRECTORY \\.\C:\target\file.txt
INSTALLATION DIRECTORY C:\Program Files (x86)\Mozilla Firefox
WORKING DIRECTORY AAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCC
The apply-to directory must be the same as or a child of the installation directory! Exiting.
In order to reach the line of code which logs the working directory argument, we need to first avoid a failure of WriteStatusFile [6], otherwise the updater will exit early and we will only truncate the file without our content written. The reason WriteStatusFile fails is that it tries to move a file to <patch-dir>/update.status, which in this case is \\.\c:\target\file.txt\update.status, which is not possible because file.txt is a file.
However, if we create a directory junction in an attacker controlled directory, eg. c:\exploit\junction\ pointing to c:\target\, then we can supply that to the updater instead. Now after the updater has opened a file descriptor to file.txt, we race it to switch the junction out with a directory named file.txt before it has attempted the status file move. If we win the race, the updater creates c:\exploit\junction\file.txt\update.status and execution continues.
# Arbitrary code execution
Because GetPrivateProfileStringW [7] isn't very picky about the formatting of the updater.ini, we can use the arbitrary file overwrite to replace the C:\Program Files (x86)\Mozilla Firefox\updater.ini with one which looks like this:
Performing a replace request
PATCH DIRECTORY \\.\C:\temp\ff-exploit\overwrite-target\updater.ini
INSTALLATION DIRECTORY C:\Program Files (x86)\Mozilla Firefox
WORKING DIRECTORY
[PostUpdateWin]
ExeRelPath=C:\temp\ff-exploit\setup-dir\ff_setup.exe
ExeArg=/INI=C:\temp\ff-exploit\setup-dir\ff_setup.ini
The apply-to directory must be the same as or a child of the installation directory! Exiting.
The ff_setup.ini has the InstallDirectoryPath entry set to an attacker controlled directory, eg. c:\temp\ff-exploit\new-firefox\ and the MaintenanceService entry set to true. The attacker just needs to copy their payload.exe into c:\temp\ff-exploit-new-firefox\maintenanceservice_installer.exe and keep it locked for shared reads (so it can't be overwritten on install, but can be executed).
Then, we trigger some action which will succeed, like staging an upate.mar file
-> which will execute the PostUpdateWin command
-> which will install a new copy of firefox into the attacker controlled c:\temp\ff-exploit\new-firefox\ directory
-> which will then run the maintenanceservice_install.exe payload as SYSTEM
Let me know if you need any more information. I tested on Windows 8.1 x64, Firefox 51.0.1
[0] - http://archive.mozilla.org/pub/firefox/releases/51.0.1/update/win32/en-US/firefox-51.0.1.complete.mar
[1] - http://archive.mozilla.org/pub/firefox/releases/51.0.1/win32/en-US/Firefox%20Setup%2051.0.1.exe
[2] - https://dxr.mozilla.org/mozilla-central/rev/f36062d04d165f6f6e781cf0633ffcbbebe6c273/toolkit/mozapps/update/updater/updater.cpp#2029
[3] - https://wiki.mozilla.org/Installer:Command_Line_Arguments
[4] - https://dxr.mozilla.org/mozilla-central/rev/f36062d04d165f6f6e781cf0633ffcbbebe6c273/toolkit/mozapps/update/updater/updater.cpp#2937
[5] - https://dxr.mozilla.org/mozilla-central/rev/f36062d04d165f6f6e781cf0633ffcbbebe6c273/toolkit/mozapps/update/updater/updater.cpp#2958
[6] - https://dxr.mozilla.org/mozilla-central/rev/f36062d04d165f6f6e781cf0633ffcbbebe6c273/toolkit/mozapps/update/updater/updater.cpp#2939
[7] - https://dxr.mozilla.org/mozilla-central/rev/f36062d04d165f6f6e781cf0633ffcbbebe6c273/toolkit/mozapps/update/updater/updater.cpp#2005
Updated•8 years ago
|
Flags: needinfo?(robert.strong.bugs)
Keywords: csectype-priv-escalation,
sec-high
Comment 1•8 years ago
|
||
Tracking for 54 for now though I'm not sure which branch we know is affected.
status-firefox52:
--- → ?
status-firefox53:
--- → ?
status-firefox54:
--- → affected
status-firefox-esr45:
--- → ?
status-firefox-esr52:
--- → ?
tracking-firefox54:
--- → +
Updated•8 years ago
|
Assignee: nobody → robert.strong.bugs
Assignee | ||
Updated•8 years ago
|
Status: NEW → ASSIGNED
Flags: needinfo?(robert.strong.bugs)
Updated•8 years ago
|
Flags: sec-bounty?
Comment 2•8 years ago
|
||
Robert, this bug has been reported almost 3 weeks ago and it's sec-high.
Can you move it up in your queue?
Flags: needinfo?(robert.strong.bugs)
Assignee | ||
Comment 3•8 years ago
|
||
Will do.
dveditz, I've noticed that you haven't been giving sec-high for local exploits as of late. Should this be sec-high?
Flags: needinfo?(robert.strong.bugs) → needinfo?(dveditz)
Comment 4•8 years ago
|
||
I think so. Will check the others and see if I underrated them.
Flags: needinfo?(dveditz)
Assignee | ||
Comment 5•8 years ago
|
||
Just an update for drivers, I'm close to being finished with this patch but I still need to finish up the tests. I hope to have this submitted for review by no later than EOD Monday.
Assignee | ||
Comment 6•8 years ago
|
||
Matt, I still have a couple of more things I want to add to this patch but I wanted to get your input on the current set of changes while I am adding them. Thanks!
Attachment #8853880 -
Flags: feedback?(mhowell)
Comment 7•8 years ago
|
||
Comment on attachment 8853880 [details] [diff] [review]
Patch in progress
Review of attachment 8853880 [details] [diff] [review]:
-----------------------------------------------------------------
Didn't do a full review yet, but I do agree with the approach of just locking down _all_ the paths like this.
I'm a little worried about IsValidFullPath rejecting UNC paths; running off of a network share seems like a case we want to support (without requiring a drive mapping).
Also, this might be one of the things you're planning to add, but it's probably also a good idea to check the return code from GetTempFileName. Looks like it would have been returning 0 and setting last-error to 267 (directory name is invalid) while running this exploit.
Attachment #8853880 -
Flags: feedback?(mhowell) → feedback+
Assignee | ||
Comment 8•8 years ago
|
||
(In reply to Matt Howell [:mhowell] from comment #7)
> Comment on attachment 8853880 [details] [diff] [review]
> Patch in progress
>
> Review of attachment 8853880 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Didn't do a full review yet, but I do agree with the approach of just
> locking down _all_ the paths like this.
>
> I'm a little worried about IsValidFullPath rejecting UNC paths; running off
> of a network share seems like a case we want to support (without requiring a
> drive mapping).
It allows UNC server shares but not other UNC paths. Are there other UNC paths you are concerned about?
>+ // Check if the path is a UNC server share.
>+ if (origFullPath[0] == NS_T('\\')) {
>+ if (!PathIsUNCServerShareW(origFullPath)) {
>+ return false;
>+ }
Flags: needinfo?(mhowell)
Comment 9•8 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #8)
> It allows UNC server shares but not other UNC paths. Are there other UNC
> paths you are concerned about?
No, you're right, I was misinterpreting that code somehow. Please disregard.
But that did lead me to discover another issue with using PathIsUNCServerShare this way; it only returns true if the path is just to a share, and false for a directory within a share:
PathIsUNCServerShareW(L"\\\\server\\share") == TRUE
PathIsUNCServerShareW(L"\\\\server\\share\\dir") == FALSE
So that's not all that useful in this context.
Flags: needinfo?(mhowell)
Assignee | ||
Comment 10•8 years ago
|
||
Thanks for checking that call and this latest patch should cover it. Still have a few more calls I need to verify but that was the main one. I added a test for the failure case. I'm not sure if it would be ok to add an in tree test using a valid UNC server share path since tests that access the network aren't allowed. Perhaps it would be ok if I used a server name that wouldn't be used since from what I recall the concern is that tests should pass without access to the network resource which this test would.
Added the GetTempFileName checks for the cases that are of concern. I still need to double check if there are other cases.
The main last thing I want to add is checking that the registry entry for the install directory exists from the maintenance service but there might be a few more as I examine the code.
Thanks for the feedback!
Attachment #8853880 -
Attachment is obsolete: true
Assignee | ||
Comment 11•8 years ago
|
||
Drivers, keeping the existing tests running while adding the new restrictions is taking a little longer than I had thought it would. Another day or so and it should be ready to land on nightly.
Assignee | ||
Comment 12•8 years ago
|
||
Attachment #8854370 -
Attachment is obsolete: true
Assignee | ||
Comment 13•8 years ago
|
||
Pushed to try
https://treeherder.mozilla.org/#/jobs?repo=try&revision=04910a382a4ff11e4991fac9aeba56cc0eaafd71
Attachment #8855040 -
Attachment is obsolete: true
Assignee | ||
Comment 14•8 years ago
|
||
Without the patch I was able to reproduce and I get the following in the maintenanceservice.log
updater.exe was compared successfully to the installation directory updater.exe.
The updater.exe application contains the Mozilla updater identity.
The file "C:\Program Files (x86)\Nightly\updater.exe" is signed and the signature was verified.
Passed in path: 'C:\Program Files (x86)\Nightly\updater.exe'; Using this path for updating: 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'.
updater.exe was compared successfully to the installation directory updater.exe.
The updater.exe application contains the Mozilla updater identity.
The file "C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe" is signed and the signature was verified.
Starting update process as the service in session 0.
Starting service with cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe" C:\moz\170626\patch-dir "C:\Program Files (x86)\Nightly" "C:\Program Files (x86)\Nightly\updated" -1 . C:\moz\170626\setup-dir\ff_setup.ini
Process was started... waiting on result.
Process finished with return code 0.
updater.exe returned status: applied
updater.exe was launched and run successfully!
Service command software-update complete.
service command aaa complete with result: Success.
With the patch I get the following in the maintenanceservice.log
*** Warning: The patch directory path is not valid for this application.***
Assignee | ||
Comment 15•8 years ago
|
||
Fixed a couple of things exposed by eslint
Pushed to try again
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b39a7e9212e9429a60d9e3249abf87ca7d28beb1
Attachment #8855107 -
Attachment is obsolete: true
Assignee | ||
Comment 16•8 years ago
|
||
Seb, thanks for the bug report and for the precise details and instructions! It is really appreciated.
Assignee | ||
Comment 17•8 years ago
|
||
Comment on attachment 8855119 [details] [diff] [review]
patch rev1
I've run other versions of this patch through the try server so I am fairly certain it will pass so requesting review.
Attachment #8855119 -
Flags: review?(mhowell)
Assignee | ||
Comment 18•8 years ago
|
||
I filed bug 1353889 which should make it possible to add tests for the one change that I didn't add a test for. I manually verified that change worked as expected. There are some other things that can be done to simplify the tests overall after the changes to TestAUSHelper but I don't want to do that in this bug.
Reporter | ||
Comment 19•8 years ago
|
||
No worries Robert - happy to help! Glad to see this fixed :)
Comment 20•8 years ago
|
||
Comment on attachment 8855119 [details] [diff] [review]
patch rev1
Review of attachment 8855119 [details] [diff] [review]:
-----------------------------------------------------------------
r+ overall with a handful of comments. Thanks for getting this mess sorted out.
::: toolkit/mozapps/update/common/updatecommon.cpp
@@ +192,5 @@
> + }
> +
> + if (origFullPath[0] == NS_T('\\')) {
> + // Only allow UNC server share paths.
> + if (!PathIsUNCServerShareW(testPath)) {
Still need to fix this call; PathIsUNCServerShare rejects anything not of the precise form "\\server\share" (including "\\server\share\" it turns out), but we need to allow subdirectories of a share.
::: toolkit/mozapps/update/tests/data/xpcshellUtilsAUS.js
@@ +2644,5 @@
> +
> + // Make sure the service from the previous test is already stopped.
> + waitForServiceStop(true);
> +
> + // Prevent the cleanup function from begin run more than once
Typo for "being".
::: toolkit/mozapps/update/tests/unit_base_updater/invalidArgPatchDirPathTraversalFailure.js
@@ +2,5 @@
> + * License, v. 2.0. If a copy of the MPL was not distributed with this
> + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
> + */
> +
> +/* Install directory path traversal failure test */
This one is patch directory, not install directory.
::: toolkit/mozapps/update/tests/unit_base_updater/invalidArgWorkingDirPathLocalUNCFailure_win.js
@@ +2,5 @@
> + * License, v. 2.0. If a copy of the MPL was not distributed with this
> + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
> + */
> +
> +/* Too long install directory path failure test */
Working directory, not install directory, and UNC path, not overlong path.
::: toolkit/mozapps/update/tests/unit_service_updater/invalidArgWorkingDirPathLocalUNCFailureSvc_win.js
@@ +2,5 @@
> + * License, v. 2.0. If a copy of the MPL was not distributed with this
> + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
> + */
> +
> +/* Too long install directory path failure test */
Working directory, not install directory, and UNC path, not overlong path.
::: toolkit/mozapps/update/updater/updater.cpp
@@ +2151,5 @@
> NS_tchar filename[MAXPATHLEN] = {NS_T('\0')};
> #if defined(XP_WIN)
> // The temp file is not removed on failure since there is client code that
> // will remove it.
> + if (GetTempFileNameW(gPatchDirPath, L"sta", 0, filename) == 0) {
This may not quite work; GetTempFileName returns 0 and sets the last error to 267 ("The directory name is invalid") when the first argument is a path that doesn't exist, even if it's a valid path. Might have to move the ensure_parent_dir call up here, or just check for that case.
Attachment #8855119 -
Flags: review?(mhowell) → review+
Comment 21•8 years ago
|
||
(In reply to Matt Howell [:mhowell] from comment #20)
> ::: toolkit/mozapps/update/common/updatecommon.cpp
> @@ +192,5 @@
> > + }
> > +
> > + if (origFullPath[0] == NS_T('\\')) {
> > + // Only allow UNC server share paths.
> > + if (!PathIsUNCServerShareW(testPath)) {
>
> Still need to fix this call; PathIsUNCServerShare rejects anything not of
> the precise form "\\server\share" (including "\\server\share\" it turns
> out), but we need to allow subdirectories of a share.
Disregard this comment; I didn't notice we were calling PathIsUNCServerShare on the result of PathStripToRoot.
Assignee | ||
Comment 22•8 years ago
|
||
Addressed comments except for the one noted in comment #21 and
> ::: toolkit/mozapps/update/updater/updater.cpp
> @@ +2151,5 @@
> > NS_tchar filename[MAXPATHLEN] = {NS_T('\0')};
> > #if defined(XP_WIN)
> > // The temp file is not removed on failure since there is client code that
> > // will remove it.
> > + if (GetTempFileNameW(gPatchDirPath, L"sta", 0, filename) == 0) {
>
> This may not quite work; GetTempFileName returns 0 and sets the last error
> to 267 ("The directory name is invalid") when the first argument is a path
> that doesn't exist, even if it's a valid path. Might have to move the
> ensure_parent_dir call up here, or just check for that case.
This isn't needed since the file is written to the patch directory which must exist.
Attachment #8855119 -
Attachment is obsolete: true
Attachment #8855689 -
Flags: review+
Assignee | ||
Comment 23•8 years ago
|
||
Comment on attachment 8855689 [details] [diff] [review]
patch rev2
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The steps to reproduce this are fairly complicated (see comment #0) so in my opinion it wouldn't be that easy,
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
I don't think it paints a bulls-eye on the security problem though the checks do give a starting point on what to go after.
Which older supported branches are affected by this flaw?
All
If not all supported branches, which bug introduced the flaw?
N/A
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
It should be fairly simple and no more risky than this patch.
How likely is this patch to cause regressions; how much testing does it need?
As with all significant app update patches I definitely want this to bake on Nightly for a couple of days. Also, if it is ok with you I'd like to land this on the oak branch and test it before landing it on Nightly.
Attachment #8855689 -
Flags: sec-approval?
Comment 24•8 years ago
|
||
Comment on attachment 8855689 [details] [diff] [review]
patch rev2
We're about to make release builds for 53. There is no way this can go in yet. I'm giving it sec-approval+ to land on *May 2*, two weeks into the next cycle, and not before then.
Attachment #8855689 -
Flags: sec-approval? → sec-approval+
Updated•8 years ago
|
Whiteboard: [checkin on May 2]
Assignee | ||
Comment 25•8 years ago
|
||
Al, are you ok with my landing this on oak so I can test it there first and if so do you have a date constraint for my landing it. I won't reference this bug or give any details in the message used to land it there?
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #23)
<snip>
> As with all significant app update patches I definitely want this to bake on
> Nightly for a couple of days. Also, if it is ok with you I'd like to land
> this on the oak branch and test it before landing it on Nightly.
Flags: needinfo?(abillings)
Comment 26•8 years ago
|
||
Yes, Rob, I think that would be ok and you more than have my trust on these things. :-)
Flags: needinfo?(abillings)
Assignee | ||
Comment 27•8 years ago
|
||
I'm separating the client code from the test code since I will be changing the test code before this bug can land.
Assignee | ||
Comment 28•8 years ago
|
||
Assignee | ||
Comment 30•8 years ago
|
||
Hi Matt, I'd like you to take another look at the test code changed quite a bit after bug 1354850.
Attachment #8856071 -
Attachment is obsolete: true
Attachment #8857762 -
Flags: review?(mhowell)
Assignee | ||
Comment 31•8 years ago
|
||
Assignee | ||
Comment 32•8 years ago
|
||
Previous push had errors unrelated to this bug... new try push
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b1c866057101c1b9e7c0ce62fe526fcf54acbd1d
Updated•8 years ago
|
Attachment #8857762 -
Flags: review?(mhowell) → review+
Assignee | ||
Updated•8 years ago
|
Blocks: CVE-2017-7767
Assignee | ||
Comment 33•8 years ago
|
||
Per comment #24 this won't make it into 53
Assignee | ||
Comment 34•8 years ago
|
||
Talked with abillings and I'll land this on June 28 so it can bake a few days before uplifing.
Whiteboard: [checkin on May 2] → [checkin on June 28]
Assignee | ||
Comment 36•8 years ago
|
||
Forgot to cleanup the Mac command line when elevated.
Attachment #8855689 -
Attachment is obsolete: true
Attachment #8856070 -
Attachment is obsolete: true
Attachment #8857761 -
Attachment is obsolete: true
Attachment #8860766 -
Flags: review?(mhowell)
Updated•8 years ago
|
Attachment #8860766 -
Flags: review?(mhowell) → review+
Assignee | ||
Comment 37•8 years ago
|
||
Attachment #8860766 -
Attachment is obsolete: true
Attachment #8863067 -
Flags: review+
Assignee | ||
Comment 38•8 years ago
|
||
I have patches for beta and esr that I will attach soon.
Attachment #8857762 -
Attachment is obsolete: true
Attachment #8863068 -
Flags: review+
Assignee | ||
Updated•8 years ago
|
Whiteboard: [checkin on 4/28]
Assignee | ||
Comment 39•8 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #38)
> Created attachment 8863068 [details] [diff] [review]
> pushed test patch for m-c
>
> I have patches for beta and esr that I will attach soon.
Note: pushed both patches to mozilla-inbound
https://hg.mozilla.org/integration/mozilla-inbound/rev/5b52d7c9212cfbf5266b0d1f0b8d35ba694a06a4
Assignee | ||
Comment 40•8 years ago
|
||
Merged to mozilla-central
https://hg.mozilla.org/mozilla-central/rev/702bca2e601f
https://hg.mozilla.org/mozilla-central/rev/5b52d7c9212c
I have patches for beta and esr that I will attach soon.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Assignee | ||
Comment 41•8 years ago
|
||
Approval Request Comment
[Feature/Bug causing the regression]:
Original maintenance service implementation
[User impact if declined]:
They will continue to be vulnerable to this local exploit
[Is this code covered by automated tests?]: Yes
[Has the fix been verified in Nightly?]:
I have verified it on Nightly
[Needs manual test from QE? If yes, steps to reproduce]:
No
[List of other uplifts needed for the feature/fix]:
N/A
[Is the change risky?]:
No more so than any other similar change to app update.
[Why is the change risky/not risky?]:
It validates the command line arguments used with the updater are what should be sent by Firefox. It is possible though not likely that some system might somehow munge the arguments.
[String changes made/needed]:
None
Attachment #8863532 -
Flags: review+
Attachment #8863532 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 42•8 years ago
|
||
Forgot to mention that I have also built beta with this patch and all update tests pass.
Assignee | ||
Comment 43•8 years ago
|
||
This also needs the test changes from bug 1354850
Attachment #8863534 -
Flags: review+
Assignee | ||
Comment 44•8 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined:
They will continue to be vulnerable to this local exploit
Fix Landed on Version:
55
Risk to taking this patch (and alternatives if risky):
No more so than any other similar change to app update. It validates the command line arguments used with the updater are what should be sent by Firefox. It is possible though not likely that some system might somehow munge the arguments.
String or UUID changes made by this patch:
None
I have also built esr52 with this patch and all update tests pass.
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8863537 -
Flags: review+
Attachment #8863537 -
Flags: approval-mozilla-esr52?
Assignee | ||
Comment 45•8 years ago
|
||
This also needs the test changes from bug 1354850
Attachment #8863539 -
Flags: review+
Comment 46•8 years ago
|
||
A local privilege escalation like this is more relevant to enterprise users than typical home users, and thus appropriate for ESR.
Updated•8 years ago
|
Group: toolkit-core-security → core-security-release
Comment on attachment 8863532 [details] [diff] [review]
client patch for beta
Sec-high, Beta54+
Attachment #8863532 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8863537 [details] [diff] [review]
client patch for esr52
Sec-high, ESR52.2+
Attachment #8863537 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Assignee | ||
Comment 49•8 years ago
|
||
Pushed to mozilla-beta
https://hg.mozilla.org/releases/mozilla-beta/rev/f7d1810de3816ea87d58c3828640f9939862ee2e
Assignee | ||
Comment 50•8 years ago
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #49)
> Pushed to mozilla-beta
> https://hg.mozilla.org/releases/mozilla-beta/rev/
> f7d1810de3816ea87d58c3828640f9939862ee2e
Also, the test patch
https://hg.mozilla.org/releases/mozilla-beta/rev/bbcddab3288afe64402e5093cf7786fe152bb4e7
Assignee | ||
Comment 51•8 years ago
|
||
Comment 52•8 years ago
|
||
(In reply to Robert Strong PTO 5/5 [:rstrong] (use needinfo to contact me) from comment #41)
> [Is this code covered by automated tests?]: Yes
> [Has the fix been verified in Nightly?]:
> I have verified it on Nightly
> [Needs manual test from QE? If yes, steps to reproduce]:
> No
Setting qe-verify- based on Robert's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
Updated•7 years ago
|
Whiteboard: [adv-main54+][adv-esr52.2+]
Updated•7 years ago
|
Alias: CVE-2017-7766
Updated•7 years ago
|
Group: core-security-release
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•