Permissions overwrite via folder symlink TOCTOU by Maintenance Service
Categories
(Toolkit :: Application Update, defect, P1)
Tracking
()
People
(Reporter: sebbity, Assigned: bytesized)
References
Details
(Keywords: csectype-priv-escalation, reporter-external, sec-high, Whiteboard: [fixed in bug 1551913][reporter-external] [client-bounty-form] [verif?][adv-main69+][adv-esr68.1+][post-critsmash-triage])
Attachments
(1 file)
|
5.75 KB,
application/x-zip-compressed
|
Details |
When running the Windows Mozilla Maintenace Service's fix-update-directory-perms command there is a race condition between the time when a directories attributes are checked for symlinks/junctions [0] to when the permissions on the file contents of the directory are actually changed [1].
By replacing a valid directory after the call to GetFileAttributesW() with a symlink to a target directory before the recursive call into SetPermissionsOfContent() the maintenance service will be tricked into granting Full Control for the Users group to all files/folders in the target directory.
If we use this to overwrite the permissions of the files in C:\Program Files (x86)\Mozilla Maintenance Service\ folder, we can replace the maintenance service itself with a binary we control and achieve arbitrary code execution as the SYSTEM user.
I've attached a proof of concept + binary which takes a folder path to overwrite the contents' permissions. It's pretty unreliable, but I did have success around the 350ms mark while also running a stress testing tool like Prime95 to slow the system down a bit. I tested this on version 68.0.0.7074 of the maintenanceservice.exe.
[0] - https://dxr.mozilla.org/mozilla-central/rev/cb5734727c0a9d88e3e236a3e4a741a051509e0e/toolkit/mozapps/update/common/commonupdatedir.cpp#1040
[1] - https://dxr.mozilla.org/mozilla-central/rev/cb5734727c0a9d88e3e236a3e4a741a051509e0e/toolkit/mozapps/update/common/commonupdatedir.cpp#1071
|
||
Comment 1•6 years ago
|
||
For a local user trying to gain admin privs on a locked-down machine, putting the machine under load isn't a stretch.
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 3•6 years ago
|
||
I'm probably going to end up writing a single patch for this bug and Bug 1551913, which I will post there.
|
||
Updated•6 years ago
|
|
|
||
Comment 5•6 years ago
|
||
Patch landed with the fix for bug 1551913:
https://hg.mozilla.org/mozilla-central/rev/d02282987e93cfa67b7bfc6bb575c734b332af4c
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
This should be fixed in 69.0b16 due to ship on Friday.
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 8•6 years ago
|
||
Removing CVE because this was fixed by code change in 1551913 so it will go under that bug's CVE.
|
||
Comment 9•6 years ago
|
||
Hi Kirk, can this issue be manually verified by qa? If it is possible, can you provide some STR please? Thanks !
|
|
Assignee | |
Comment 10•6 years ago
|
||
Unfortunately, this exploit involves a race condition, so reproducing will be difficult and unreliable. The best STR that I can give you are the ones in the description.
|
|
||
Comment 11•6 years ago
|
||
Thanks for the infos Kirk, in this situation I will remove the qe+ flag.
|
|
||
Updated•5 years ago
|
|
||
Updated•10 months ago
|
Description
•