Closed
Bug 867062
Opened 12 years ago
Closed 11 years ago
Ability to read arbitrary files as SYSTEM
Categories
(Toolkit :: Application Update, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: sebbity, Unassigned)
References
Details
(Keywords: regression, reporter-external, sec-moderate)
Attachments
(2 obsolete files)
In fixing Bug 850492, the updater.exe that the Maintenance Service tries to verify is now copied to a known safe location.
Unfortunately, if the user provides the location of a file they do not have access to (eg. encryption keys, SAM passwords, etc), this file will be copied to the safe location which is, by default, readable by all users.
This allows the attacker to then read/copy the file before it is deleted by the Maintenance Service when it fails validation.
Can provide a proof-of-concept if you need. Windows 8/2012 should not be affected by this as Microsoft changed the CopyFile() function to copy security metadata by default (though I haven't confirmed).
Updated•12 years ago
|
Flags: sec-bounty?
Comment 1•12 years ago
|
||
A PoC would be very handy for testing if you could provide that, thanks!
Assignee: nobody → netzen
Blocks: CVE-2013-1672
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression,
sec-moderate
Comment 2•12 years ago
|
||
rstrong, one idea to fix is to make a subdirectory inside maintenanceservice not have any access except by the system account. Thoughts?
Comment 3•12 years ago
|
||
No fallback kind of scares me but I think we can just error out and exit. I'll have to test to see what happens in that case.
Comment 4•12 years ago
|
||
Seems reasonable. Test the behavior and if all isn't well let's talk about what else can be done.
Reporter | ||
Comment 5•12 years ago
|
||
Sure thing. Attached is a quick implementation. It will drop the file into your current directory.
Usage:
CopyAsSystem.exe "c:\Windows\Sysnative\config\BCD-template"
Or even more fun, something like:
CopyAsSystem.exe "\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy12\windows\system32\config\sam"
will pull currently locked files from shadow copies.
Updated•12 years ago
|
Attachment #744322 -
Attachment mime type: application/octet-stream → application/java-archive
Comment 6•12 years ago
|
||
Matt, could you please verify this POC? thanks!
Flags: needinfo?(mwobensmith)
Comment 7•12 years ago
|
||
Hi Seb, I'm trying to reproduce this with your files.
Can you provide a precise step-by-step instruction? My attempts aren't working; all I'm seeing is "Fail :( try again".
Also, please confirm what OS (or OSs) we can use. I was using Win7 x64, and can use others.
Thank you!
Flags: needinfo?(mwobensmith)
Reporter | ||
Comment 8•12 years ago
|
||
Hi Matt,
Apologies for the hastiness of the PoC, I just noticed that if a file with the same name you're trying to copy already exists in the current directory then it will fail with the same error message.
I am reproducing on Win7 x64, the version of my maintenanceservice.exe is 23.0.0.4889. Any luck?
Comment 9•11 years ago
|
||
Hi Seb,
I tried reproducing the issue but as Matt mentioned in comment 7, I keep receiving the "Failed :( Try again!" error message. I tried running the POC attached with a "Administrator" account and a "Limited" account without any luck. Here's what I attempted so far:
Tried going through the same steps you posted in comment 5 using the following files:
CopyAsSystem.exe "C:\Windows\System32\config\BCD-template"
CopyAsSystem.exe "C:\Windows\System32\config\SAM.LOG"
CopyAsSystem.exe "C:\Windows\System32\config\SAM"
CopyAsSystem.exe "C:\Windows\System32\config\DEFAULT"
I also attempted creating a text file named password.txt on the desktop of the "Administrator" account and then tried opening it with the "Limited" account using your POC. Received the same "Failed :( Try again!" error message:
CopyAsSystem.exe "C:\Users\kamil\Desktop\password.txt"
System Information:
- Windows 7 Home Premium SP1 x64
- Latest Nightly Build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-06-17-03-11-12-mozilla-central/
- maintenanceservice.exe 24.0.0.4916
Reporter | ||
Comment 10•11 years ago
|
||
I found a few problems with the PoC copying things out of System32 (windows transparently redirects to the SysWOW64 directory which means it can't find the file) though that still doesn't explain why it didn't work for your admin account.
I'll try and explain where the race condition occurs in the code, that way you might be able to theoretically see how it works even if the PoC doesn't.
toolkit/components/maintenanceservice/workmonitor.cpp@0be9ff086424
> 577 // Use the passed in command line arguments for the update, except for the
> 578 // path to updater.exe. We copy updater.exe to a the directory of the
> 579 // MozillaMaintenance service so that a low integrity process cannot
> 580 // replace the updater.exe at any point and use that for the update.
> 581 // It also makes DLL injection attacks harder.
> ... ...
> 589 result = CopyFileW(oldUpdaterPath, secureUpdaterPath, FALSE);
> ... ...
> 618 result = ProcessSoftwareUpdateCommand(argc - 3, argv + 3);
> 619 DeleteSecureUpdater(secureUpdaterPath);
secureUpdaterPath is the update directory in the Maintenance Service folder (C:\Program Files (x86)\Mozilla Maintenance Service\update for me). This inherits the parent folder's permissions which allows standard users to read files by default.
There's a bit of time spent in ProcessSoftwareUpdateCommand which extends the window, but fundamentally the attacker has the opportunity to read the file after execution hits line 589 but before it reaches line 619.
Comment 11•11 years ago
|
||
It has been a couple of months. Any update here, Seb?
Flags: needinfo?(sebbity)
Reporter | ||
Comment 12•11 years ago
|
||
Issue still occurs for me using maintenanceservice.exe version 26.0.0.4973 (Nightly 2013-08-13).
Here's more info about the setup on my box (let me know if anything looks dodgy):
C:\Users\cache_test\Desktop>whoami
mrz\standard
C:\Users\cache_test\Desktop>net user standard
User name standard
Full Name cache_test
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/13/2013 7:19:14 PM
Password expires Never
Password changeable 3/13/2013 7:19:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/14/2013 4:14:10 AM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
C:\Users\cache_test\Desktop>type c:\windows\sysnative\config\SAM.LOG
The system cannot find the path specified.
C:\Users\cache_test\Desktop>CopyAsSystem.exe c:\windows\sysnative\config\SAM.LOG
Success!
C:\Users\cache_test\Desktop>type SAM.LOG
regfI... <snip>
Flags: needinfo?(sebbity)
Comment 13•11 years ago
|
||
Still using the attached PoC?
Reporter | ||
Comment 14•11 years ago
|
||
Yes, same PoC.
Comment 15•11 years ago
|
||
I can I try reproducing once again using the same PoC that's attached, but couldn't reproduce it as per comment 9. Seb, can you please take a look at my comment and see what you are doing differently?
Reporter | ||
Comment 16•11 years ago
|
||
Have attached an updated proof-of-concept which will spit out an error message on failure (sorry this wasn't in the original).
Can you retest and let me know the input & output?
Attachment #744322 -
Attachment is obsolete: true
Reporter | ||
Comment 17•11 years ago
|
||
Attachment #792843 -
Attachment is obsolete: true
Comment 18•11 years ago
|
||
Thanks Seb,
I will test this when I get home from work today and let you know if I can reproduce with the newest PoC from comment 17.
Comment 19•11 years ago
|
||
Hi Seb,
Downloaded the latest POCv2 that you attached in comment #16 but I am still having issues reproducing the problem. I basically used the same steps as per comment #9 on the following builds:
- http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/21.0/win32/en-US/
- http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-08-31-03-02-24-mozilla-central/
- latest release that can be found from: http://www.mozilla.org/en-US/firefox/new/#download-fx
I keep receiving the following error message:
"Timed out waiting for File to appear in update directory
Could not copy file, Error: Could not find file 'C:\Program Files (x86)\Mozilla Maintenance Service\update\updater.exe'"
- I've attached a screenshot of the error mentioned above.
I went through the test cases using both an Administrator & Standard account. I tried accessing the same files as per comment #16. I also created a text file named "password" on the desktop of the Administrator and tried accessing it using the standard user with the POCv2 you provided but receive the same error.
Used a Windows 7 Home Premium SP1 x64 VM that is fully updated and patched.
Please let me know if I am doing something different or if I am missing a step.
Updated•11 years ago
|
Flags: needinfo?(sebbity)
Comment 20•11 years ago
|
||
Seb, if we don't have any further response from you, we will be closing this issue was "incomplete" at the beginning of December. There has been no response for over three months now to questions and we cannot reproduce the issue.
Comment 21•11 years ago
|
||
Resolving as INCOMPLETE as per comment 20 and opening up
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → INCOMPLETE
Updated•11 years ago
|
Assignee: netzen → nobody
Reporter | ||
Comment 23•8 years ago
|
||
Sorry for letting this fall by the wayside. For what it's worth, I took a look at the current implementation and can confirm this vulnerability is no longer present.
Flags: needinfo?(sebbity)
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•