Closed Bug 770478 (CVE-2012-3974) Opened 12 years ago Closed 12 years ago

Installer runs untrusted program

Categories

(Firefox :: Installer, defect)

13 Branch
x86
Windows Vista
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Firefox 16
Tracking Status
firefox14 --- wontfix
firefox15 + verified
firefox16 --- verified
firefox-esr10 15+ verified

People

(Reporter: masatokinugawa, Assigned: robert.strong.bugs)

References

Details

(Keywords: sec-moderate, Whiteboard: [advisory-tracking+])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1 Build ID: 20120614114901 Steps to reproduce: 1. Put program named of the "program.exe" in "C:\". 2. Start installing through installer of Firefox. (Select standard install.) 3. Launch Firefox from "launched Firefox now". 4. But "program.exe" in "C:\" is run. Actual results: The program named of "program.exe" in ":C\" is run. Expected results: Firefox should be run. FYI, also installer of Thunderbird has this problem.
This should have been fixed in Firefox 13: bug 748764 (see also http://www.mozilla.org/security/announce/2012/mfsa2012-35.html) There was a problem where people upgrading (as opposed to installing from scratch) didn't get the fixed version, but that should have been fixed in 13 as well (bug 757711) If you upgrade to the latest release version (should be 13.0.1 or 13.0.2) do you still see the same symptoms? If you uninstall Firefox completely and then reinstall does that fix the problem? Do you have multiple version of Firefox installed, some older than Firefox 13 that could be messing with the installed service?
Adding qawanted to verify the fixed bugs and confirm the steps with a Firefox 12 upgrade.
Keywords: qawanted
Component: Untriaged → Installer
Do the quotes in the nsis --Exec "something"-- line get sent to windows, or are those quotes only for purposes of delimiting a string in the nsis language? Without quotes full paths with spaces in the name are vulnerable to this kind of attack (see bug 748764), although I haven't tried this case yet. Worst case, on a shared windows machine someone else with access to put things in c:\ can possibly get you to run their thing with your privileges. Maybe one limited user trying to get a peek at the files from another limited user when that user installs Firefox into their own user space? A booby trap waiting for the machine Admin to install Firefox (or honestly, most other programs)? Not a problem for most consumer machines that are single user or shared amongst a family of similarly-privileged users. A family with sneaky kids might be another story, but not a common case.
Keywords: sec-moderate
(In reply to Robert Strong [:rstrong] (do not email) from comment #4) > Has anyone reproduced this? I can reproduce it using the following steps under Windows Vista SP2: 1. Download Firefox 13.0.1 2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe" 3. Install Firefox 13.0.1 using the standard install 4. Launch Firefox 13.0.1 using "Launch Now" option in the installer > Firefox 16.0a1 installer is initiated
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: qawanted
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #6) Thanks Anthony! > (In reply to Robert Strong [:rstrong] (do not email) from comment #4) > > Has anyone reproduced this? > > I can reproduce it using the following steps under Windows Vista SP2: > 1. Download Firefox 13.0.1 > 2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe" Just to verify, you meant firefox.exe... right? > 3. Install Firefox 13.0.1 using the standard install > 4. Launch Firefox 13.0.1 using "Launch Now" option in the installer > > Firefox 16.0a1 installer is initiated
(In reply to Robert Strong [:rstrong] (do not email) from comment #7) > Just to verify, you meant firefox.exe... right? No, I meant "program.exe".
Ya I'm pretty sure in NSIS you have to double quote your strings to get the desired result. For example in the maintenance service code we have this: > nsExec::Exec '"$INSTDIR\$TempMaintServiceName" install' Otherwise windows thinks that C:\Program is the path (if it exists) and the rest are the command line args.
thanks and duh on me
C:\ has high integrity level like subfolders of program files though, so to create such an exe you need to be running as a high integrity process.
Assignee: nobody → robert.bugzilla
Attached patch patch rev1Splinter Review
Attachment #641197 - Flags: review?(netzen)
Comment on attachment 641197 [details] [diff] [review] patch rev1 Review of attachment 641197 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, I tested each case and it seems to be working for me. I also checked for other cases in the NSIS files but couldn't find any others.
Attachment #641197 - Flags: review?(netzen) → review+
Blocks: 773105
Whiteboard: [fixed-in-fx-team]
Attachment #641197 - Attachment description: patch rev1 - untested → patch rev1
Target Milestone: --- → Firefox 16
Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11 17:40:11 2012 -0700) http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Whiteboard: [qa+]
[Triage comment] Enterprises care about this bug more than the average user, please nominate for ESR as well as Beta uplift.
(In reply to Robert Strong [:rstrong] (do not email) from comment #15) > Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11 > 17:40:11 2012 -0700) > http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3 Can we arrange for uplift to FF15 on beta if deemed low risk? Thanks!
Comment on attachment 641197 [details] [diff] [review] patch rev1 [Approval Request Comment] Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2 User impact if declined: Slight possibility of launching an incorrect executable Testing completed (on m-c, etc.): on m-c, tested locally. Risk to taking this patch (and alternatives if risky): very low String or UUID changes made by this patch: none
Attachment #641197 - Flags: approval-mozilla-beta?
Drivers, if this patch is desired for beta I suggest you also take bug 773105
Comment on attachment 641197 [details] [diff] [review] patch rev1 Approving for beta, will this land cleanly on the ESR? If so, please nominate or let us know if there can be an adjusted fix for that branch since this is something we know is being asked for by our ESR users.
Attachment #641197 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 641197 [details] [diff] [review] patch rev1 Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2 User impact if declined: Slight possibility of launching an incorrect executable Testing completed (on m-c, etc.): on m-c, tested locally. Risk to taking this patch (and alternatives if risky): very low String or UUID changes made by this patch: none
Attachment #641197 - Flags: approval-mozilla-esr10?
Attachment #641197 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
http://hg.mozilla.org/releases/mozilla-esr10/rev/ea1a4b41fcc9 Patch is slightly different, the only change is that it doesn't include the maintenanceservice related quoting. It doesn't exist on esr10.
Beta push is exactly the same as aurora/nightly by the way.
Target Milestone: Firefox 16 → Firefox 15
Whiteboard: [qa+] → [qa+][advisory-tracking+]
Alias: CVE-2012-3974
Keywords: verifyme
Whiteboard: [qa+][advisory-tracking+] → [advisory-tracking+]
Confirmed reproducible with Firefox 13.0.1. Verified fixed with: * 2012-08-24 Firefox 17.0a1 * 2012-08-24 Firefox 16.0a2 * 2012-08-24 Firefox 10.0.7esrpre * Firefox 15.0b6
Status: RESOLVED → VERIFIED
Keywords: verifyme
QA Contact: anthony.s.hughes
I asked on irc and Ms2ger mentioned that the target milestone should be set to the version it landed on m-c. So I'm setting it back to that version.
Target Milestone: Firefox 15 → Firefox 16
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: