Last Comment Bug 854088 - (CVE-2013-1673) old MozillaMaintenance Service registry entry not updated, leads to Trusted Path Privilege Escalation
(CVE-2013-1673)
: old MozillaMaintenance Service registry entry not updated, leads to Trusted P...
Status: RESOLVED FIXED
[adv-main21+]
: csectype-priv-escalation, sec-high
Product: Toolkit
Classification: Components
Component: Application Update (show other bugs)
: 19 Branch
: x86_64 Windows 7
: -- normal (vote)
: mozilla23
Assigned To: Brian R. Bondy [:bbondy]
:
Mentors:
: 869452 (view as bug list)
Depends on: 857397
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-23 04:36 PDT by Robert Kugler
Modified: 2014-07-24 16:09 PDT (History)
11 users (show)
abillings: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
wontfix
+
fixed
+
fixed
fixed
unaffected
unaffected
unaffected


Attachments
payload.zip (7.16 KB, application/java-archive)
2013-03-23 04:36 PDT, Robert Kugler
no flags Details
Patch v1. (2.04 KB, patch)
2013-04-01 07:57 PDT, Brian R. Bondy [:bbondy]
robert.strong.bugs: review+
akeybl: approval‑mozilla‑aurora+
bajaj.bhavana: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr17-
abillings: sec‑approval+
Details | Diff | Review

Description Robert Kugler 2013-03-23 04:36:52 PDT
Created attachment 728607 [details]
payload.zip

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130307023931

Steps to reproduce:

Steps to reproduce:
1. Copy calc.exe to C:\program.exe or C:\Program Files (x86)\mozilla.exe. You can also use my payload (attached).
2. Start MozillaMaintenance using the service manager or the command-line.
3. calc.exe (program.exe - mozilla.exe) will be run with SYSTEM privileges



Actual results:

The malicious executable was executed with SYSTEM privileges!


Expected results:

The service executable shouldn't run program.exe (C:\program.exe) or mozilla.exe (C:\Program Files (x86)\mozilla.exe). Although you need to be running as a high integrity process to create files in the root directory and its subfolders you could use this vulnerability to escalate your privileges or to automatically re-compromise the target in the future (with SYSTEM privileges)!
Comment 1 Daniel Veditz [:dveditz] 2013-03-24 23:40:07 PDT
launching using non-absolute/non-quoted strings again?
Comment 2 Robert Kugler 2013-03-25 10:46:21 PDT
Today I tested this bug with another machine. 
I installed Firefox with the latest installer.
Windows 7 64bit SP1 / Firefox 19.0.2 / Mozilla Maintenance Service 19.0.2 (x86 en-US)

[SC] QueryServiceConfig ERFOLG

SERVICE_NAME: MozillaMaintenance
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Mozilla Maintenance Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

This machine isn't exploitable...
It seems like the latest version isn't vulnerable, but then there's some mysterious behaviour on my first test machine!!

Windows 7 64bit SP1 / Firefox 19.0.2 / Mozilla Maintenance Service 19.0.2 (x86 en-US)

[SC] QueryServiceConfig ERFOLG

SERVICE_NAME: MozillaMaintenance
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : Mozilla Maintenance Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

You see the "" are missing, this machine is exploitable!! Everything is up-to-date and patched the only differency is that I didn't do a fresh install with the latest installer.

Did you fix this vulnerability in the last months?! It's strange that my machine missed this patch isn't it??

Sorry that I opened a bug report for this curiosity!
Comment 3 Daniel Veditz [:dveditz] 2013-03-25 16:17:13 PDT
hm... this sounds like bug 748764, fixed in Firefox 13. Could your first installation have been installed between Firefox 10 and 12?. I guess that's why it sounded like an old problem coming back to haunt us.
Comment 4 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2013-03-25 17:43:30 PDT
assigned to freddy for verification
Comment 5 Robert Kugler 2013-03-26 00:03:26 PDT
Comment 3:
This could be! But both installations are patched and up-to-date...
How can a user know if his installation is really secure or vulnerable? 
Only new installations are not exploitabe but "old" ones are! So a long installed and updated Firefox is less secure than a fresh installation?
Comment 6 Frederik Braun [:freddyb] 2013-03-26 01:13:47 PDT
Could not reproduce. So the real issue is that we do not update the Mozilla Maintenance Service?
Comment 7 Robert Kugler 2013-03-26 10:09:22 PDT
Comment 6:
Yep, updating the Maintenance Service would solve this problem! 
I don't know but I think the majority of the users is rather using the auto-update than reinstalling Firefox every time. They'll remain vulnerable to a fixed security issue!
Comment 8 Daniel Veditz [:dveditz] 2013-03-26 16:31:37 PDT
Robert (Kugler): do you still have the vulnerable installation? If so you can check it's version using window explorer (right-click, pick Properties). I bet the service itself may be up to date (the updater can replace files) but possibly only the initial installer knows how to update the registry entry that needs the quotes.

Freddy: the way to reproduce (if my theory is correct) is to install a Firefox 12 version (which has bug 748764) and then let it update to the latest. You may need to fully uninstall Firefox first to make sure you get rid of any currently-installed service (and I do mean uninstall so that registry clean-up is done, don't just nuke the files).

Robert (Strong): is this a known problem? If my theory is correct could we patch the maintenance service so that new versions know to check/fix their registry entries?
Comment 9 Robert Kugler 2013-03-27 01:41:16 PDT
Daniel Veditz: I checked its version: 19.0.2.4814. The service is up-to-date! I was able to reproduce this issue on Vista 32bit SP2. Your theory is correct, only the initial installer knows how to update the registry entry that needs the quotes.
Comment 10 Robert Strong [:rstrong] (use needinfo to contact me) 2013-03-27 01:53:46 PDT
(In reply to Daniel Veditz [:dveditz] from comment #8)
>...
> Robert (Strong): is this a known problem? If my theory is correct could we
> patch the maintenance service so that new versions know to check/fix their
> registry entries?
Not known. The post update helper should fix the registry entries after an update and this appears to not be the case. I'll take a look.
Comment 11 Frederik Braun [:freddyb] 2013-03-27 02:55:13 PDT
(In reply to Daniel Veditz [:dveditz] from comment #8)
> Freddy: the way to reproduce (if my theory is correct) is to install a
> Firefox 12 version (which has bug 748764) and then let it update to the
> latest. You may need to fully uninstall Firefox first to make sure you get
> rid of any currently-installed service (and I do mean uninstall so that
> registry clean-up is done, don't just nuke the files).

I uninstalled, installed Firefox 12 and performed an auto-update but couldn't reproduce.
This happened on a test vm, since I'm not really a windows user. Just to make sure, I performed a reboot between every step ;)
Comment 12 Robert Kugler 2013-03-27 04:29:42 PDT
mmh...that's odd! Same installer behaviour on Windows 7 SP1 64bit!
It's reproducible for me on Vista and Windows 7.

My steps to reproduce:
1. Downloading and installing Firefox 12 (http://www.mozilla.org/de/download/?product=firefox-12.0&os=win&lang=de)
2.Starting the browser to let it download the update. 
3.Then exit and restart the browser to let it install the latest version.
4.Now check the version of the service. It should be up-to-date. 
  You'll see the quotes are missing!
5.Copy exploit.exe (payload.zip) to C:\program.exe and start the service: 
  sc start MozillaMaintenance
6.A new user is added to the Administrator group!
Comment 13 Daniel Veditz [:dveditz] 2013-03-29 11:44:27 PDT
Just checked my own development machine and the maintenance service path is unquoted still after 6 releases worth of Nightly, Aurora, ESR, etc. updates. Pretty sure I must have run the installer since Fx13 (for ESR-17 if nothing else) so it looks like the installer doesn't fix up an old maint-svc reg entry either.

This attack requires local access so if the user is privileged then it's not adding any risk. The interesting case is when the user is _not_ privileged, but can still write to c:\ for some reason -- this then allows that user to elevate their privilege on the local machine. As argued in bug 748764 this does happen in some cases, although arguably any admin that allows that has already weakened the system's security.

I'm torn between sec-moderate and sec-high. We rated bug 830134 as sec-high, though an attacker has more opportunity to inject using that bug (directory of their choosing).
Comment 14 Robert Strong [:rstrong] (use needinfo to contact me) 2013-03-29 12:52:00 PDT
Dan, is your dev system a VM as well? Is your user account a member of the admin group?
Comment 15 Robert Kugler 2013-03-29 13:27:39 PDT
Enabling write access to C:\ is not the best idea to secure your
system, but unfortunately not every user knows what he is doing by
enabling write access! 
As described here: http://www.wipethedrive.com/WTD-detail.pdf an attacker could gain
persistent access on a infected machine. The Maintenance Service 
starts on demand so the attacker needs to wait 6 weeks until there is a new Firefox version to get his reverse shell or reinfection.

Robert Strong:
I could reproduce it without a VM. My user accounts are both members of the admin group.
Comment 16 Brian R. Bondy [:bbondy] 2013-03-29 17:43:03 PDT
I thought we were already handling the case to fixup old installs during that period but it seems like we are not. I think I was thinking of this function:
http://dxr.mozilla.org/mozilla-central/toolkit/components/maintenanceservice/serviceinstall.cpp#l183

To fix we can just tweak doesServiceHaveCorrectPath to be false when there are no quotes found in the string.

I would probably set this is sec-moderate because you need admin access to write to c:\ and so this can't be exploited widely.  Also if you have a program named program.exe on your computer it will surely be run eventually by something on your machine as high integrity and which therefore implies as SYSTEM (since a high integrity account can create a service as system and run it).  I agree someone can set c: as writable but this is probably very rare overall.
Comment 17 Brian R. Bondy [:bbondy] 2013-03-29 20:47:57 PDT
Have to do some other updater work so I might as well take this.
Comment 18 Robert Kugler 2013-03-30 01:19:35 PDT
Brian R.Bondy:
This bug isn't widely exploitable, but there are some
scenarios where this vulnerability could be used by an attacker.
1. When you compromise an Administrative user with a client-side attack you'll have write 
access to C:\. Create a mozilla.exe in Program Files and start the service.
   Privilege escalation and a "stealth" persistence (every 6 weeks backdoor) are possible.
2. The user isn't a member of the Adminstrator group but has granted write
   access to C:\. 
   Privilege escalation and persistence are possible.
Comment 19 Brian R. Bondy [:bbondy] 2013-03-30 05:28:37 PDT
For #1 do you mean physically on the machine? 
If you are physically on the machine logged in as administrator yes you can copy a file to C: by hitting the UAC confirmation dialog.  But you can also right click on anything you want and select run as administrator and you have complete access.

If you are malware running as an administrative user you will not be able to though because it requires the malware to elevate itself first.  And if they are elevated malware they can simply run whatever code they want without the service at the same level. admin->system account is trivial in code.

I think #2 is valid but not #1, let me know if I missed something though.
Comment 20 Robert Kugler 2013-03-30 09:28:49 PDT
Brian R. Bondy: 
When someone has physically access to your computer he doesn't need a Firefox privilege escalation vulnerability. He can simply boot a Linux live CD to copy sensitive data or he can manipulate the sticky key function and reboot.
Physical access is a security nightmare!

Scenario 1:
If the attacker compromised the local administrator account (disabled by default in Windows 7 and Vista) his malware is able to copy files to C:\ or C:\Program Files without any UAC prompt.
You're right it's too much effort when your malware is already elevated you can just create a service running with SYSTEM privileges and start it, although creating services isn't smart when you want to stay undetected. 
Okay privilege escalation isn't absolutely necessary in this case but what about the "relative stealth" persistence or automacilly re-compromise? A mozilla.exe in C:\Program Files isn't as suspicious as a startup registry key with a random name! The attacker won't have the opportunity to gain access to the machine every day, but he can be sure that his mozilla.exe will connect back to his C&C server at least every 6 weeks.
Comment 21 Brian R. Bondy [:bbondy] 2013-03-30 10:37:16 PDT
(In reply to Robert Kugler from comment #20)
> Brian R. Bondy: 
> When someone has physically access to your computer he doesn't need a
> Firefox privilege escalation vulnerability. 

Yup I was also arguing the same conclusion.

> 
> Scenario 1:
> If the attacker compromised the local administrator account (disabled by
> default in Windows 7 and Vista) his malware is able to copy files to C:\ or
> C:\Program Files without any UAC prompt.

Does the local administrator account which is disabled have UAC disabled by default?  

> You're right it's too much effort when your malware is already elevated you
> can just create a service running with SYSTEM privileges and start it,
> although creating services isn't smart when you want to stay undetected. 

That's just an example, you can modify an existing service's bin path or keep the bin path and replace an already existing service with your executable.  You can have a driver that doesn't even show up in your services list etc.

> Okay privilege escalation isn't absolutely necessary in this case but what
> about the "relative stealth" persistence or automacilly re-compromise? A
> mozilla.exe in C:\Program Files isn't as suspicious as a startup registry
> key with a random name! The attacker won't have the opportunity to gain
> access to the machine every day, but he can be sure that his mozilla.exe
> will connect back to his C&C server at least every 6 weeks.

I'm confident that one time high elevation means you can have forever high elevation in a variety of ways.  For example using an existing service with a modified binary or driver undetected.

---

I think this boils down to an attack for the people that make their c: writable without elevation.  Still a great report though and thank you for posting it!
Comment 22 Robert Kugler 2013-03-30 16:21:47 PDT
Brian R. Bondy:
"Does the local administrator account which is disabled have UAC disabled by default?"
Exactly, the built-in Administrator account runs all applications with full administrative privilege (default).

I think it would be sec-moderate when there wouldn't be so much
users who are so careless to enable write access to C:\.
When you google "enable write access to C:\" you'll find 
quite a lot forum posts!
"...on a vanilla Windows box it should not be possible to write a file to either C:\ or C:\program files, few people have vanilla configurations. I have seen users, admins and OEMs break these security principles before now. You can only really be reasonably confident in the directories you yourself created, not anything else on the file system."
James Forshaw (bug 748764)

Although it isn't widely exploitable it's a dangerous security risk under special
circumstances!
Comment 23 Brian R. Bondy [:bbondy] 2013-04-01 07:57:51 PDT
Created attachment 731874 [details] [diff] [review]
Patch v1.
Comment 24 Brian R. Bondy [:bbondy] 2013-04-01 08:08:35 PDT
Comment on attachment 731874 [details] [diff] [review]
Patch v1.

Requesting approval for mozilla-central landing and pushing to try server.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
- Flaw only affects people with writable C:\
- Flag only affects people who first installed with (I think these versions) Mozilla12 and Mozilla13.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes.

Which older supported branches are affected by this flaw?
Only applicable if user first installed on (I think these versions) Mozilla12 or Mozilla13 

If not all supported branches, which bug introduced the flaw?
The flaw is not fixing an old problem, but newer installs do not have the problem at all.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Same code for older/other branches can be applied.

How likely is this patch to cause regressions; how much testing does it need?
Low chance of regressions.
Comment 25 Robert Strong [:rstrong] (use needinfo to contact me) 2013-04-01 10:54:14 PDT
Comment on attachment 731874 [details] [diff] [review]
Patch v1.

This should do it.
Comment 26 Brian R. Bondy [:bbondy] 2013-04-01 10:56:22 PDT
Tested already by the way with a v12 installed with the unquoted path and doing a new local install fixes it. Upgrade process follows same logic.  I'll test an upgrade though on oak before landing on m-c along with the other bug.
Comment 29 Phil Ringnalda (:philor) 2013-04-06 18:01:19 PDT
https://hg.mozilla.org/mozilla-central/rev/9e6fe353c9b4
Comment 30 Brian R. Bondy [:bbondy] 2013-04-08 07:23:19 PDT
Comment on attachment 731874 [details] [diff] [review]
Patch v1.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-hig

User impact if declined: 
If an admin of a computer has went out of his way to make his c: writable, and then a low integrity process is running, it can obtain high integrity access.  That is if Firefox 12 (and 13?) was installed originally. Later versions of Firefox do not have this bug.

Fix Landed on Version:
v23

Risk to taking this patch (and alternatives if risky): 
Low if we wait a couple days for Nightly builds.

String or UUID changes made by this patch: 
None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Comment 31 Alex Keybl [:akeybl] 2013-04-08 15:46:27 PDT
Comment on attachment 731874 [details] [diff] [review]
Patch v1.

ESR 10->17 skipped over 12/13, so this only needs to go to Aurora/Beta. Since this impacts updates, we'll take our time uplifting.
Comment 32 Brian R. Bondy [:bbondy] 2013-04-08 15:49:51 PDT
By the way I got an email that this is tracked for ESR17, should tracking-firefox-esr17: 	21+  be cleared?
Comment 33 Ryan VanderMeulen [:RyanVM] 2013-04-09 07:17:04 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/08a001d51ccc
Comment 34 bhavana bajaj [:bajaj] 2013-04-14 19:32:03 PDT
Comment on attachment 731874 [details] [diff] [review]
Patch v1.

Please land by Monday EOD PST to get this into Fx 21 Beta 4 .
Comment 35 Ryan VanderMeulen [:RyanVM] 2013-04-15 05:42:56 PDT
https://hg.mozilla.org/releases/mozilla-beta/rev/216376e201d5
Comment 36 Al Billings [:abillings] 2013-05-03 13:04:39 PDT
(In reply to Brian R. Bondy [:bbondy] from comment #32)
> By the way I got an email that this is tracked for ESR17, should
> tracking-firefox-esr17: 	21+  be cleared?

Is ESR unaffected?
Comment 37 Brian R. Bondy [:bbondy] 2013-05-03 13:52:24 PDT
I think as per Comment 31.  I was asking because I got emailed after it was esr17-
Comment 38 Al Billings [:abillings] 2013-05-03 13:54:49 PDT
Sure, I was just looking for explicit confirmation that ESR is unaffected.
Comment 39 Brian R. Bondy [:bbondy] 2013-05-03 14:03:20 PDT
(In reply to Al Billings [:abillings] from comment #38)
> Sure, I was just looking for explicit confirmation that ESR is unaffected.

I haven't tried it explicitly, but from the best of my knowledge I agree with akeybl. The issue was only present in a couple versions, and those versions never landed inside ESR10/17.
Comment 40 Daniel Veditz [:dveditz] 2013-05-15 08:51:56 PDT
*** Bug 869452 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.