Closed Bug 1575289 Opened 5 years ago Closed 5 years ago

Privilege escalation via maintenance service in the wild

Categories

(Toolkit :: Application Update, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1552206
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 69+ fixed
firefox68 + wontfix
firefox69 --- fixed
firefox70 --- fixed

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [patch in bug 1551913][adv-main69-][adv-esr68.1-])

Attachments

(1 file)

We've received a report of an attack in the wild that used the Firefox maintenance service to elevate local permissions as part of a chain of vulnerabilities used to compromise Windows computers. From the description this could be the same or similar to bug 1551913 or bug 1552206 (a TOCTOU issue that can be used to change permissions on other system directories).

The zip archive attachment has the password "infected".

Flags: needinfo?(robert.strong.bugs)

Kirk, could you check if your fix for bug 1551913 also fixes this bug?

Flags: needinfo?(robert.strong.bugs) → needinfo?(ksteuber)

I attempted to reproduce this POC with 4 different maintenance service binaries. The results make me confident that the problem exploited by this POC has indeed been fixed.

Results from an official Nightly binary from before Bug 1551913 merged:
I ran the POC 10 times and it succeeded every time. Run time averaged 391 seconds. Maximum run time seen was 1056 seconds.

Results from a local build of mozilla-central from before Bug 1551913 merged:
I ran the POC 10 times and it succeeded every time. Run time averaged 123 seconds. Maximum run time seen was 261 seconds.

Results from the most recent Nightly binary:
I ran the POC for over 9 hours without success.

Results from a local build of the current mozilla-central:
I ran the POC for over 5 hours without success.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(ksteuber)
Resolution: --- → FIXED
Resolution: FIXED → DUPLICATE

Although the patch is in bug 1551913, this is more properly a dupe of bug 1552206 (whose fix was combined into the patch for bug 1551913)

Depends on: CVE-2019-11736
Whiteboard: [patch in bug 1551913]
Group: firefox-core-security → core-security-release
Whiteboard: [patch in bug 1551913] → [patch in bug 1551913][adv-main69-][adv-esr68.1-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: