The default bug view has changed. See this FAQ.
Bug 770478 (CVE-2012-3974)

Installer runs untrusted program

VERIFIED FIXED in Firefox 15

Status

()

Firefox
Installer
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: Masato Kinugawa, Assigned: rstrong)

Tracking

({sec-moderate})

13 Branch
Firefox 16
x86
Windows Vista
sec-moderate
Points:
---

Firefox Tracking Flags

(firefox14 wontfix, firefox15+ verified, firefox16 verified, firefox-esr1015+ verified)

Details

(Whiteboard: [advisory-tracking+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901

Steps to reproduce:

1. Put program named of the "program.exe" in "C:\".
2. Start installing through installer of Firefox. (Select standard install.)
3. Launch Firefox from "launched Firefox now".
4. But "program.exe" in "C:\" is run.


Actual results:

The program named of "program.exe" in ":C\" is run.


Expected results:

Firefox should be run.
FYI, also installer of Thunderbird has this problem.
This should have been fixed in Firefox 13: bug 748764 (see also http://www.mozilla.org/security/announce/2012/mfsa2012-35.html)

There was a problem where people upgrading (as opposed to installing from scratch) didn't get the fixed version, but that should have been fixed in 13 as well (bug 757711)

If you upgrade to the latest release version (should be 13.0.1 or 13.0.2) do you still see the same symptoms? If you uninstall Firefox completely and then reinstall does that fix the problem? Do you have multiple version of Firefox installed, some older than Firefox 13 that could be messing with the installed service?
Adding qawanted to verify the fixed bugs and confirm the steps with a Firefox 12 upgrade.
Keywords: qawanted
(Reporter)

Comment 3

5 years ago
This problem exists in not updater but installer( http://ftp.jaist.ac.jp/pub/mozilla.org/firefox/releases/13.0.1/win32/en-US/Firefox%20Setup%2013.0.1.exe ).

Updated

5 years ago
Component: Untriaged → Installer
Has anyone reproduced this?... the code to launch uses the full path.
http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#700

and for the elevated case

http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#712
Do the quotes in the nsis --Exec "something"-- line get sent to windows, or are those quotes only for purposes of delimiting a string in the nsis language? Without quotes full paths with spaces in the name are vulnerable to this kind of attack (see bug 748764), although I haven't tried this case yet.

Worst case, on a shared windows machine someone else with access to put things in c:\ can possibly get you to run their thing with your privileges. Maybe one limited user trying to get a peek at the files from another limited user when that user installs Firefox into their own user space? A booby trap waiting for the machine Admin to install Firefox (or honestly, most other programs)?

Not a problem for most consumer machines that are single user or shared amongst a family of similarly-privileged users. A family with sneaky kids might be another story, but not a common case.
Keywords: sec-moderate
(In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> Has anyone reproduced this?

I can reproduce it using the following steps under Windows Vista SP2:
1. Download Firefox 13.0.1
2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
3. Install Firefox 13.0.1 using the standard install
4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> Firefox 16.0a1 installer is initiated
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: qawanted
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #6)
Thanks Anthony!

> (In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> > Has anyone reproduced this?
> 
> I can reproduce it using the following steps under Windows Vista SP2:
> 1. Download Firefox 13.0.1
> 2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
Just to verify, you meant firefox.exe... right?

> 3. Install Firefox 13.0.1 using the standard install
> 4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> > Firefox 16.0a1 installer is initiated
(In reply to Robert Strong [:rstrong] (do not email) from comment #7)
> Just to verify, you meant firefox.exe... right?

No, I meant "program.exe".
Ya I'm pretty sure in NSIS you have to double quote your strings to get the desired result.  For example in the maintenance service code we have this:

>  nsExec::Exec '"$INSTDIR\$TempMaintServiceName" install'

Otherwise windows thinks that C:\Program is the path (if it exists) and the rest are the command line args.
thanks and duh on me
C:\ has high integrity level like subfolders of program files though, so to create such an exe you need to be running as a high integrity process.
Assignee: nobody → robert.bugzilla
Created attachment 641197 [details] [diff] [review]
patch rev1
Attachment #641197 - Flags: review?(netzen)
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Review of attachment 641197 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, I tested each case and it seems to be working for me. 
I also checked for other cases in the NSIS files but couldn't find any others.
Attachment #641197 - Flags: review?(netzen) → review+
Blocks: 773105
Pushed to fx-team
https://hg.mozilla.org/integration/fx-team/rev/04df150d0cc3
Whiteboard: [fixed-in-fx-team]
Attachment #641197 - Attachment description: patch rev1 - untested → patch rev1
Target Milestone: --- → Firefox 16
status-firefox-esr10: --- → affected
status-firefox14: --- → wontfix
status-firefox15: --- → affected
status-firefox16: --- → fixed
tracking-firefox-esr10: --- → ?
tracking-firefox15: --- → +
Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11 17:40:11 2012 -0700)
http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]

Updated

5 years ago
Whiteboard: [qa+]
[Triage comment]
Enterprises care about this bug more than the average user, please nominate for ESR as well as Beta uplift.
tracking-firefox-esr10: ? → 15+
(In reply to Robert Strong [:rstrong] (do not email) from comment #15)
> Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11
> 17:40:11 2012 -0700)
> http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3

Can we arrange for uplift to FF15 on beta if deemed low risk? Thanks!
Comment on attachment 641197 [details] [diff] [review]
patch rev1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Attachment #641197 - Flags: approval-mozilla-beta?
Drivers, if this patch is desired for beta I suggest you also take bug 773105
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Approving for beta, will this land cleanly on the ESR?  If so, please nominate or let us know if there can be an adjusted fix for that branch since this is something we know is being asked for by our ESR users.
Attachment #641197 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Attachment #641197 - Flags: approval-mozilla-esr10?

Updated

5 years ago
Attachment #641197 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
http://hg.mozilla.org/releases/mozilla-esr10/rev/ea1a4b41fcc9

Patch is slightly different, the only change is that it doesn't include the maintenanceservice related quoting.  It doesn't exist on esr10.
status-firefox-esr10: affected → fixed
http://hg.mozilla.org/releases/mozilla-beta/rev/bd453c843c21
status-firefox15: affected → fixed
Beta push is exactly the same as aurora/nightly by the way.
Target Milestone: Firefox 16 → Firefox 15
Whiteboard: [qa+] → [qa+][advisory-tracking+]
Alias: CVE-2012-3974
Keywords: verifyme
Whiteboard: [qa+][advisory-tracking+] → [advisory-tracking+]
Confirmed reproducible with Firefox 13.0.1.

Verified fixed with:
 * 2012-08-24 Firefox 17.0a1
 * 2012-08-24 Firefox 16.0a2
 * 2012-08-24 Firefox 10.0.7esrpre
 * Firefox 15.0b6
Status: RESOLVED → VERIFIED
status-firefox-esr10: fixed → verified
status-firefox15: fixed → verified
status-firefox16: fixed → verified
Keywords: verifyme
QA Contact: anthony.s.hughes
I asked on irc and Ms2ger mentioned that the target milestone should be set to the version it landed on m-c.  So I'm setting it back to that version.
Target Milestone: Firefox 15 → Firefox 16
Group: core-security
You need to log in before you can comment on or make changes to this bug.