Closed
Bug 770478
(CVE-2012-3974)
Opened 12 years ago
Closed 12 years ago
Installer runs untrusted program
Categories
(Firefox :: Installer, defect)
Tracking
()
VERIFIED
FIXED
Firefox 16
People
(Reporter: masatokinugawa, Assigned: robert.strong.bugs)
References
Details
(Keywords: sec-moderate, Whiteboard: [advisory-tracking+])
Attachments
(1 file)
3.33 KB,
patch
|
bbondy
:
review+
lsblakk
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901
Steps to reproduce:
1. Put program named of the "program.exe" in "C:\".
2. Start installing through installer of Firefox. (Select standard install.)
3. Launch Firefox from "launched Firefox now".
4. But "program.exe" in "C:\" is run.
Actual results:
The program named of "program.exe" in ":C\" is run.
Expected results:
Firefox should be run.
FYI, also installer of Thunderbird has this problem.
Comment 1•12 years ago
|
||
This should have been fixed in Firefox 13: bug 748764 (see also http://www.mozilla.org/security/announce/2012/mfsa2012-35.html)
There was a problem where people upgrading (as opposed to installing from scratch) didn't get the fixed version, but that should have been fixed in 13 as well (bug 757711)
If you upgrade to the latest release version (should be 13.0.1 or 13.0.2) do you still see the same symptoms? If you uninstall Firefox completely and then reinstall does that fix the problem? Do you have multiple version of Firefox installed, some older than Firefox 13 that could be messing with the installed service?
Adding qawanted to verify the fixed bugs and confirm the steps with a Firefox 12 upgrade.
Keywords: qawanted
Reporter | ||
Comment 3•12 years ago
|
||
This problem exists in not updater but installer( http://ftp.jaist.ac.jp/pub/mozilla.org/firefox/releases/13.0.1/win32/en-US/Firefox%20Setup%2013.0.1.exe ).
Updated•12 years ago
|
Component: Untriaged → Installer
Assignee | ||
Comment 4•12 years ago
|
||
Has anyone reproduced this?... the code to launch uses the full path.
http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#700
and for the elevated case
http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#712
Comment 5•12 years ago
|
||
Do the quotes in the nsis --Exec "something"-- line get sent to windows, or are those quotes only for purposes of delimiting a string in the nsis language? Without quotes full paths with spaces in the name are vulnerable to this kind of attack (see bug 748764), although I haven't tried this case yet.
Worst case, on a shared windows machine someone else with access to put things in c:\ can possibly get you to run their thing with your privileges. Maybe one limited user trying to get a peek at the files from another limited user when that user installs Firefox into their own user space? A booby trap waiting for the machine Admin to install Firefox (or honestly, most other programs)?
Not a problem for most consumer machines that are single user or shared amongst a family of similarly-privileged users. A family with sneaky kids might be another story, but not a common case.
Keywords: sec-moderate
(In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> Has anyone reproduced this?
I can reproduce it using the following steps under Windows Vista SP2:
1. Download Firefox 13.0.1
2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
3. Install Firefox 13.0.1 using the standard install
4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> Firefox 16.0a1 installer is initiated
Assignee | ||
Comment 7•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #6)
Thanks Anthony!
> (In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> > Has anyone reproduced this?
>
> I can reproduce it using the following steps under Windows Vista SP2:
> 1. Download Firefox 13.0.1
> 2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
Just to verify, you meant firefox.exe... right?
> 3. Install Firefox 13.0.1 using the standard install
> 4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> > Firefox 16.0a1 installer is initiated
(In reply to Robert Strong [:rstrong] (do not email) from comment #7)
> Just to verify, you meant firefox.exe... right?
No, I meant "program.exe".
Comment 9•12 years ago
|
||
Ya I'm pretty sure in NSIS you have to double quote your strings to get the desired result. For example in the maintenance service code we have this:
> nsExec::Exec '"$INSTDIR\$TempMaintServiceName" install'
Otherwise windows thinks that C:\Program is the path (if it exists) and the rest are the command line args.
Assignee | ||
Comment 10•12 years ago
|
||
thanks and duh on me
Comment 11•12 years ago
|
||
C:\ has high integrity level like subfolders of program files though, so to create such an exe you need to be running as a high integrity process.
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → robert.bugzilla
Assignee | ||
Comment 12•12 years ago
|
||
Attachment #641197 -
Flags: review?(netzen)
Comment 13•12 years ago
|
||
Comment on attachment 641197 [details] [diff] [review]
patch rev1
Review of attachment 641197 [details] [diff] [review]:
-----------------------------------------------------------------
Looks good, I tested each case and it seems to be working for me.
I also checked for other cases in the NSIS files but couldn't find any others.
Attachment #641197 -
Flags: review?(netzen) → review+
Assignee | ||
Comment 14•12 years ago
|
||
Pushed to fx-team
https://hg.mozilla.org/integration/fx-team/rev/04df150d0cc3
Whiteboard: [fixed-in-fx-team]
Assignee | ||
Updated•12 years ago
|
Attachment #641197 -
Attachment description: patch rev1 - untested → patch rev1
Updated•12 years ago
|
Target Milestone: --- → Firefox 16
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox14:
--- → wontfix
status-firefox15:
--- → affected
status-firefox16:
--- → fixed
tracking-firefox-esr10:
--- → ?
tracking-firefox15:
--- → +
Assignee | ||
Comment 15•12 years ago
|
||
Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11 17:40:11 2012 -0700)
http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Updated•12 years ago
|
Whiteboard: [qa+]
Comment 16•12 years ago
|
||
[Triage comment]
Enterprises care about this bug more than the average user, please nominate for ESR as well as Beta uplift.
Comment 17•12 years ago
|
||
(In reply to Robert Strong [:rstrong] (do not email) from comment #15)
> Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11
> 17:40:11 2012 -0700)
> http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3
Can we arrange for uplift to FF15 on beta if deemed low risk? Thanks!
Assignee | ||
Comment 18•12 years ago
|
||
Comment on attachment 641197 [details] [diff] [review]
patch rev1
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Attachment #641197 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 19•12 years ago
|
||
Drivers, if this patch is desired for beta I suggest you also take bug 773105
Comment 20•12 years ago
|
||
Comment on attachment 641197 [details] [diff] [review]
patch rev1
Approving for beta, will this land cleanly on the ESR? If so, please nominate or let us know if there can be an adjusted fix for that branch since this is something we know is being asked for by our ESR users.
Attachment #641197 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 21•12 years ago
|
||
Comment on attachment 641197 [details] [diff] [review]
patch rev1
Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Attachment #641197 -
Flags: approval-mozilla-esr10?
Updated•12 years ago
|
Attachment #641197 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Comment 22•12 years ago
|
||
http://hg.mozilla.org/releases/mozilla-esr10/rev/ea1a4b41fcc9
Patch is slightly different, the only change is that it doesn't include the maintenanceservice related quoting. It doesn't exist on esr10.
Comment 23•12 years ago
|
||
Comment 24•12 years ago
|
||
Beta push is exactly the same as aurora/nightly by the way.
Assignee | ||
Updated•12 years ago
|
Target Milestone: Firefox 16 → Firefox 15
Updated•12 years ago
|
Whiteboard: [qa+] → [qa+][advisory-tracking+]
Updated•12 years ago
|
Alias: CVE-2012-3974
Keywords: verifyme
Whiteboard: [qa+][advisory-tracking+] → [advisory-tracking+]
Comment 25•12 years ago
|
||
Confirmed reproducible with Firefox 13.0.1.
Verified fixed with:
* 2012-08-24 Firefox 17.0a1
* 2012-08-24 Firefox 16.0a2
* 2012-08-24 Firefox 10.0.7esrpre
* Firefox 15.0b6
Comment 26•12 years ago
|
||
I asked on irc and Ms2ger mentioned that the target milestone should be set to the version it landed on m-c. So I'm setting it back to that version.
Target Milestone: Firefox 15 → Firefox 16
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•