Last Comment Bug 770478 - (CVE-2012-3974) Installer runs untrusted program
(CVE-2012-3974)
: Installer runs untrusted program
Status: VERIFIED FIXED
[advisory-tracking+]
: sec-moderate
Product: Firefox
Classification: Client Software
Component: Installer (show other bugs)
: 13 Branch
: x86 Windows Vista
: -- normal (vote)
: Firefox 16
Assigned To: Robert Strong [:rstrong] (use needinfo to contact me)
: Anthony Hughes (:ashughes) [GFX][QA][Mentor]
Mentors:
Depends on:
Blocks: 773105
  Show dependency treegraph
 
Reported: 2012-07-03 05:44 PDT by Masato Kinugawa
Modified: 2012-11-09 18:58 PST (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
verified
verified
15+
verified


Attachments
patch rev1 (3.33 KB, patch)
2012-07-11 14:21 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
netzen: review+
lukasblakk+bugs: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Masato Kinugawa 2012-07-03 05:44:51 PDT
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Build ID: 20120614114901

Steps to reproduce:

1. Put program named of the "program.exe" in "C:\".
2. Start installing through installer of Firefox. (Select standard install.)
3. Launch Firefox from "launched Firefox now".
4. But "program.exe" in "C:\" is run.


Actual results:

The program named of "program.exe" in ":C\" is run.


Expected results:

Firefox should be run.
FYI, also installer of Thunderbird has this problem.
Comment 1 Daniel Veditz [:dveditz] 2012-07-05 12:50:21 PDT
This should have been fixed in Firefox 13: bug 748764 (see also http://www.mozilla.org/security/announce/2012/mfsa2012-35.html)

There was a problem where people upgrading (as opposed to installing from scratch) didn't get the fixed version, but that should have been fixed in 13 as well (bug 757711)

If you upgrade to the latest release version (should be 13.0.1 or 13.0.2) do you still see the same symptoms? If you uninstall Firefox completely and then reinstall does that fix the problem? Do you have multiple version of Firefox installed, some older than Firefox 13 that could be messing with the installed service?
Comment 2 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-07-05 13:49:56 PDT
Adding qawanted to verify the fixed bugs and confirm the steps with a Firefox 12 upgrade.
Comment 3 Masato Kinugawa 2012-07-05 22:13:05 PDT
This problem exists in not updater but installer( http://ftp.jaist.ac.jp/pub/mozilla.org/firefox/releases/13.0.1/win32/en-US/Firefox%20Setup%2013.0.1.exe ).
Comment 4 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-09 12:37:19 PDT
Has anyone reproduced this?... the code to launch uses the full path.
http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#700

and for the elevated case

http://mxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/installer.nsi#712
Comment 5 Daniel Veditz [:dveditz] 2012-07-11 10:39:11 PDT
Do the quotes in the nsis --Exec "something"-- line get sent to windows, or are those quotes only for purposes of delimiting a string in the nsis language? Without quotes full paths with spaces in the name are vulnerable to this kind of attack (see bug 748764), although I haven't tried this case yet.

Worst case, on a shared windows machine someone else with access to put things in c:\ can possibly get you to run their thing with your privileges. Maybe one limited user trying to get a peek at the files from another limited user when that user installs Firefox into their own user space? A booby trap waiting for the machine Admin to install Firefox (or honestly, most other programs)?

Not a problem for most consumer machines that are single user or shared amongst a family of similarly-privileged users. A family with sneaky kids might be another story, but not a common case.
Comment 6 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-07-11 13:50:46 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> Has anyone reproduced this?

I can reproduce it using the following steps under Windows Vista SP2:
1. Download Firefox 13.0.1
2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
3. Install Firefox 13.0.1 using the standard install
4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> Firefox 16.0a1 installer is initiated
Comment 7 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-11 13:52:30 PDT
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #6)
Thanks Anthony!

> (In reply to Robert Strong [:rstrong] (do not email) from comment #4)
> > Has anyone reproduced this?
> 
> I can reproduce it using the following steps under Windows Vista SP2:
> 1. Download Firefox 13.0.1
> 2. Download Firefox 16.0a1 and copy it to "C:\", rename it to "program.exe"
Just to verify, you meant firefox.exe... right?

> 3. Install Firefox 13.0.1 using the standard install
> 4. Launch Firefox 13.0.1 using "Launch Now" option in the installer
> > Firefox 16.0a1 installer is initiated
Comment 8 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-07-11 13:59:51 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #7)
> Just to verify, you meant firefox.exe... right?

No, I meant "program.exe".
Comment 9 Brian R. Bondy [:bbondy] 2012-07-11 14:01:46 PDT
Ya I'm pretty sure in NSIS you have to double quote your strings to get the desired result.  For example in the maintenance service code we have this:

>  nsExec::Exec '"$INSTDIR\$TempMaintServiceName" install'

Otherwise windows thinks that C:\Program is the path (if it exists) and the rest are the command line args.
Comment 10 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-11 14:02:38 PDT
thanks and duh on me
Comment 11 Brian R. Bondy [:bbondy] 2012-07-11 14:02:45 PDT
C:\ has high integrity level like subfolders of program files though, so to create such an exe you need to be running as a high integrity process.
Comment 12 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-11 14:21:07 PDT
Created attachment 641197 [details] [diff] [review]
patch rev1
Comment 13 Brian R. Bondy [:bbondy] 2012-07-11 17:18:40 PDT
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Review of attachment 641197 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, I tested each case and it seems to be working for me. 
I also checked for other cases in the NSIS files but couldn't find any others.
Comment 14 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-11 17:41:02 PDT
Pushed to fx-team
https://hg.mozilla.org/integration/fx-team/rev/04df150d0cc3
Comment 15 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-17 13:15:53 PDT
Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11 17:40:11 2012 -0700)
http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3
Comment 16 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-19 16:28:30 PDT
[Triage comment]
Enterprises care about this bug more than the average user, please nominate for ESR as well as Beta uplift.
Comment 17 Alex Keybl [:akeybl] 2012-07-26 17:29:19 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #15)
> Pushed to mozilla-central on Wed Jul 11 17:40:11 2012 -0700 (at Wed Jul 11
> 17:40:11 2012 -0700)
> http://hg.mozilla.org/mozilla-central/rev/04df150d0cc3

Can we arrange for uplift to FF15 on beta if deemed low risk? Thanks!
Comment 18 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-26 23:48:51 PDT
Comment on attachment 641197 [details] [diff] [review]
patch rev1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Comment 19 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-26 23:50:00 PDT
Drivers, if this patch is desired for beta I suggest you also take bug 773105
Comment 20 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-27 14:04:11 PDT
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Approving for beta, will this land cleanly on the ESR?  If so, please nominate or let us know if there can be an adjusted fix for that branch since this is something we know is being asked for by our ESR users.
Comment 21 Robert Strong [:rstrong] (use needinfo to contact me) 2012-07-30 13:26:41 PDT
Comment on attachment 641197 [details] [diff] [review]
patch rev1

Bug caused by (feature/regressing bug #): Has been around since the installer rewrite for Firefox 2
User impact if declined: Slight possibility of launching an incorrect executable
Testing completed (on m-c, etc.): on m-c, tested locally.
Risk to taking this patch (and alternatives if risky): very low
String or UUID changes made by this patch: none
Comment 22 Brian R. Bondy [:bbondy] 2012-07-30 14:06:10 PDT
http://hg.mozilla.org/releases/mozilla-esr10/rev/ea1a4b41fcc9

Patch is slightly different, the only change is that it doesn't include the maintenanceservice related quoting.  It doesn't exist on esr10.
Comment 23 Brian R. Bondy [:bbondy] 2012-07-30 14:13:38 PDT
http://hg.mozilla.org/releases/mozilla-beta/rev/bd453c843c21
Comment 24 Brian R. Bondy [:bbondy] 2012-07-30 14:14:33 PDT
Beta push is exactly the same as aurora/nightly by the way.
Comment 25 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-24 16:43:08 PDT
Confirmed reproducible with Firefox 13.0.1.

Verified fixed with:
 * 2012-08-24 Firefox 17.0a1
 * 2012-08-24 Firefox 16.0a2
 * 2012-08-24 Firefox 10.0.7esrpre
 * Firefox 15.0b6
Comment 26 Brian R. Bondy [:bbondy] 2012-09-21 06:56:45 PDT
I asked on irc and Ms2ger mentioned that the target milestone should be set to the version it landed on m-c.  So I'm setting it back to that version.

Note You need to log in before you can comment on or make changes to this bug.