1575289 - Privilege escalation via maintenance service in the wild

Status: RESOLVED DUPLICATE of bug 1552206

(Toolkit :: Application Update, defect)

Description

[Daniel Veditz [:dveditz]]

Attachment: Firefox_GenerousCleaner_poc_and_notes.zip

We've received a report of an attack in the wild that used the Firefox maintenance service to elevate local permissions as part of a chain of vulnerabilities used to compromise Windows computers. From the description this could be the same or similar to bug 1551913 or bug 1552206 (a TOCTOU issue that can be used to change permissions on other system directories).

The zip archive attachment has the password "infected".

Comment 1

[Robert Strong (they/them - no direct email)]

Kirk, could you check if your fix for bug 1551913 also fixes this bug?

Comment 2

[Robin Steuber (she/her) [:bytesized]]

I attempted to reproduce this POC with 4 different maintenance service binaries. The results make me confident that the problem exploited by this POC has indeed been fixed.

Results from an official Nightly binary from before Bug 1551913 merged:
I ran the POC 10 times and it succeeded every time. Run time averaged 391 seconds. Maximum run time seen was 1056 seconds.

Results from a local build of mozilla-central from before Bug 1551913 merged:
I ran the POC 10 times and it succeeded every time. Run time averaged 123 seconds. Maximum run time seen was 261 seconds.

Results from the most recent Nightly binary:
I ran the POC for over 9 hours without success.

Results from a local build of the current mozilla-central:
I ran the POC for over 5 hours without success.

Comment 4

[Daniel Veditz [:dveditz]]

Although the patch is in bug 1551913, this is more properly a dupe of bug 1552206 (whose fix was combined into the patch for bug 1551913)