unquoted Path used for MozillaMaintenance Service

RESOLVED DUPLICATE of bug 854088

Status

()

Toolkit
Application Update
RESOLVED DUPLICATE of bug 854088
5 years ago
4 years ago

People

(Reporter: sean, Unassigned)

Tracking

unspecified
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 854088])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

Steps to reproduce:

The path used to launch the MozillaMaintenance Service "MozillaMaintenance" uses an unquoted string. 

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 

Version: 12.0.0.4493


Actual results:

This can allow a local user to elevate privileges and execute code under the LocalSystem account. 

The windows API will attempt to launch the following:

C:\Program.exe 
C:\Program Files.exe
C:\Program Files (x86)\Mozilla.exe
C:\Program Files (x86)\Mozilla Maintenance.exe
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe



Expected results:

The service path should use a quoted string to ensure spaces are not treated as delimiters and arbitrary code is not run under the elevated account.
Group: mozilla-services-security → core-security
Component: General → Security
Product: Mozilla Services → Core
Flags: sec-bounty?
Component: Security → Application Update
Product: Core → Toolkit
Kamil, would you like to take a look? Let me know if you'd like help. Thanks.
Flags: needinfo?(kamiljoz)
The path is quoted as of bug 748764.

bbondy, can you confirm?
Let's hold off on asking kamil, etc. until after bbondy confirms. Thanks
Flags: needinfo?(kamiljoz)
Hi Sean, this was a past issue with old installers, but it has since been fixed. We also recently created a fix so that upgraded versions will get auto-fixed.

Did you just install a fresh build and notice this? Or did you have an older version that's been upgrading for a while?  If this later case is your situation then it should be fixed by the work in bug 854088.  So this bug would be a dupe of that one.
(Reporter)

Comment 5

5 years ago
Thanks Brian, 

Yeah it's the 2nd scenario. The system has an older version that has been updated for sometime.
(Reporter)

Comment 6

5 years ago
Checked with a clean install the path is quoted properly, So this looks like a dupe.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 854088
Flags: sec-bounty? → sec-bounty-
Group: core-security
Whiteboard: [sg:dupe 854088]
You need to log in before you can comment on or make changes to this bug.