Closed
Bug 869452
Opened 12 years ago
Closed 12 years ago
unquoted Path used for MozillaMaintenance Service
Categories
(Toolkit :: Application Update, defect)
Toolkit
Application Update
Tracking
()
RESOLVED
DUPLICATE
of bug 854088
People
(Reporter: idiom604, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [sg:dupe 854088])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31
Steps to reproduce:
The path used to launch the MozillaMaintenance Service "MozillaMaintenance" uses an unquoted string.
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Version: 12.0.0.4493
Actual results:
This can allow a local user to elevate privileges and execute code under the LocalSystem account.
The windows API will attempt to launch the following:
C:\Program.exe
C:\Program Files.exe
C:\Program Files (x86)\Mozilla.exe
C:\Program Files (x86)\Mozilla Maintenance.exe
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Expected results:
The service path should use a quoted string to ensure spaces are not treated as delimiters and arbitrary code is not run under the elevated account.
|
||
Updated•12 years ago
|
Group: mozilla-services-security → core-security
Component: General → Security
Product: Mozilla Services → Core
|
|
||
Updated•12 years ago
|
Flags: sec-bounty?
|
||
Updated•12 years ago
|
Component: Security → Application Update
Product: Core → Toolkit
|
|
||
Comment 1•12 years ago
|
||
Kamil, would you like to take a look? Let me know if you'd like help. Thanks.
Flags: needinfo?(kamiljoz)
|
|
||
Comment 2•12 years ago
|
||
The path is quoted as of bug 748764.
bbondy, can you confirm?
|
|
||
Comment 3•12 years ago
|
||
Let's hold off on asking kamil, etc. until after bbondy confirms. Thanks
Flags: needinfo?(kamiljoz)
|
||
Comment 4•12 years ago
|
||
Hi Sean, this was a past issue with old installers, but it has since been fixed. We also recently created a fix so that upgraded versions will get auto-fixed.
Did you just install a fresh build and notice this? Or did you have an older version that's been upgrading for a while? If this later case is your situation then it should be fixed by the work in bug 854088. So this bug would be a dupe of that one.
Thanks Brian,
Yeah it's the 2nd scenario. The system has an older version that has been updated for sometime.
Checked with a clean install the path is quoted properly, So this looks like a dupe.
|
||
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•11 years ago
|
Group: core-security
Whiteboard: [sg:dupe 854088]
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•