Privilege Escalation via Mozilla Maintenance Service if Firefox is Installed to a Writable Location
Categories
(Toolkit :: Application Update, defect, P1)
Tracking
()
People
(Reporter: hofusec, Assigned: robert.strong.bugs)
Details
(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [post-critsmash-triage][adv-main69+][adv-esr68.1+][adv-esr60.9+])
Attachments
(4 files, 2 obsolete files)
43.69 KB,
application/x-zip-compressed
|
Details | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr68+
abillings
:
sec-approval+
|
Details | Review |
1.60 KB,
patch
|
jcristau
:
approval-mozilla-esr68+
|
Details | Diff | Splinter Review |
2.87 KB,
patch
|
robert.strong.bugs
:
review+
jcristau
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
The full Mozilla Firefox Installer allows a user to choose a custom install location. (Personally I have used this to install firefox on my secondary hard drive at D:\Firefox.)
The installer doesn't adjust the rights of the created firefox directory, so for example, if the user chooses a writable location the firefox directory is writable after the installation.
A writable firefox directory can be exploited to gain system rights via the mozilla maintenance service. During an update the maintenanceservice.exe from the firefox directory is copied to <mozilla-maintenance-service-directory>/maintenanceservice_tmp.exe and executed from there with system rights. By manipulating the maintenanceservice.exe during a update it is possible to escalate privileges.
POC (tested on Windows 10):
1.) install firefox via the full installer (http://archive.mozilla.org/pub/firefox/releases/68.0.2/win32/en-US/Firefox%20Setup%2068.0.2.exe) to a writable directory for example D:\Firefox
2.) unzip attached zip
3.) download https://archive.mozilla.org/pub/firefox/releases/68.0.2/update/win64/en-US/firefox-68.0.2.complete.mar to <unzipped-direcory>/update/0/update.mar
4.) change the firefox paths in copyloop.bat and mozupdate.bat to the firefox install location
5.) change the path to the update/0 directory in mozupdateservicetest.bat to your path
6.) start copyloop.bat (this will overwrite the maintenanceservice.exe in the firefox directory with a test.exe during the update) and mozupdate.bat (will run the update)
7.) After the update finished you will see that:
- the test.exe was copied to <mozilla-maintenance-service-directory>/maintenanceservice_tmp.exe.
- this maintenanceservice_tmp.exe is running as SYSTEM user
![]() |
||
Updated•4 years ago
|
![]() |
||
Comment 1•4 years ago
|
||
Off the top of my head, maybe there's some way we can insure the service exe we launch at system level passes some sort of code signing check?
![]() |
Assignee | |
Comment 2•4 years ago
|
||
I have already thought of a way to fix this last night.
![]() |
Assignee | |
Updated•4 years ago
|
Updated•4 years ago
|
![]() |
Assignee | |
Comment 3•4 years ago
|
||
![]() |
Assignee | |
Comment 4•4 years ago
|
||
Holger, thank you very much for finding and filing this bug!
Updated•4 years ago
|
![]() |
Assignee | |
Comment 5•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not sure.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Easy
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. The patch uses an existing check that is used to verify it is ok to launch other binaries such as helper.exe (e.g. the post update process).
Comment 6•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
sec-approval+ for mozilla-central.
Comment 7•4 years ago
|
||
![]() |
Assignee | |
Comment 8•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
Beta/Release Uplift Approval Request
- User impact if declined: Clients will be vulnerable to this exploit
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce: I've verified and if it is desired to have additional verification there are steps in comment #0
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch uses an existing check that is used to verify it is ok to launch other binaries such as helper.exe (e.g. the post update process).
- String changes made/needed: None
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
Thanks for the fix. Approving this for 69.0b16 now so we can get a bit of wider testing before next week's RC.
![]() |
Assignee | |
Comment 10•4 years ago
|
||
![]() |
Assignee | |
Comment 11•4 years ago
|
||
![]() |
Assignee | |
Comment 12•4 years ago
|
||
![]() |
||
Comment 13•4 years ago
|
||
![]() |
||
Comment 14•4 years ago
|
||
![]() |
Assignee | |
Comment 15•4 years ago
|
||
The followup fixed the Windows MingW build failures
![]() |
Assignee | |
Comment 16•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Clients will be vulnerable to this exploit
- Fix Landed on Version: 69
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch uses an existing check that is used to verify it is ok to launch other binaries such as helper.exe (e.g. the post update process).
- String or UUID changes made by this patch: None
![]() |
Assignee | |
Updated•4 years ago
|
![]() |
Assignee | |
Comment 17•4 years ago
|
||
Note: the patch that landed on Beta applies cleanly to ESR68. I will submit a new patch for ESR60 shortly.
![]() |
Assignee | |
Comment 18•4 years ago
|
||
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Clients will be vulnerable to this exploit
- Fix Landed on Version: 69
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch uses an existing check that is used to verify it is ok to launch other binaries such as helper.exe (e.g. the post update process).
- String or UUID changes made by this patch: None
![]() |
||
Comment 19•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0bab25d1df16
https://hg.mozilla.org/mozilla-central/rev/c86ae47a9e17
Comment 20•4 years ago
|
||
Comment on attachment 9087338 [details]
Bug 1574980 - Fix issues with maintenance service install. r=bytesized
sec-high fix, approved for 68.1esr
Updated•4 years ago
|
Comment 21•4 years ago
|
||
Comment on attachment 9087559 [details] [diff] [review] Patch for ESR 60 - includes the followup fix ... likewise for 60.9
![]() |
||
Comment 22•4 years ago
|
||
uplift |
![]() |
||
Comment 23•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 24•4 years ago
|
||
I'm trying to reproduce and verify this but I am a bit stuck. In comment 0 at step 4, I should change the path in mozupdate.bat but I don't see that file attached in poc.zip. I figured that it's the same file with mozupdateservicetest.bat but after changing the paths in that file running it does nothing, it just opens a cmd window and closes immediately. Am I missing something?
![]() |
Assignee | |
Comment 25•4 years ago
|
||
That was a typo in the steps. It should be
4.) change the firefox paths in copyloop.bat and mozupdateservicetest.bat to the firefox install location
5.) change the path to the update/0 directory in mozupdateservicetest.bat to your path
6.) start copyloop.bat (this will overwrite the maintenanceservice.exe in the firefox directory with a test.exe during the update) and mozupdateservicetest.bat (will run the update)
So copyloop.bat must be started before mozupdateservicetest.bat
copyloop.bat should have overwritten maintenanceservice.exe in the installation directory which you can verify before running mozupdateservicetest.bat
Hope this helps.
Comment 26•4 years ago
•
|
||
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #25)
That was a typo in the steps. It should be
4.) change the firefox paths in copyloop.bat and mozupdateservicetest.bat to the firefox install location
5.) change the path to the update/0 directory in mozupdateservicetest.bat to your path
6.) start copyloop.bat (this will overwrite the maintenanceservice.exe in the firefox directory with a test.exe during the update) and mozupdateservicetest.bat (will run the update)So copyloop.bat must be started before mozupdateservicetest.bat
copyloop.bat should have overwritten maintenanceservice.exe in the installation directory which you can verify before running mozupdateservicetest.batHope this helps.
Yep it does help, thanks!
I was able to finally reproduce it on a W10 machine, I can see both of the actual results on an affected build (68.0.2):
- the test.exe was copied to <mozilla-maintenance-service-directory>/maintenanceservice_tmp.exe.
- this maintenanceservice_tmp.exe is running as SYSTEM user
I verified that the actual results are not seen on builds that contain the fix (Firefox 69.0 RC, Firefox 68.1.0 esr and Latest Nightly 70.0a1). I'll wait for the official esr60.9 to be built and then I'll verify on it as well.
Comment 27•4 years ago
|
||
Also verified that this is fixed on 60.9esr as well.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•