Closed Bug 893005 Opened 11 years ago Closed 11 years ago

Mar file not locked during update

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Version:
22 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 890853

People

(Reporter: hofusec, Unassigned)

Details

The updater has a "Time of check to time of use" bug. It is possible to bypass the signature check in the updater because the .mar file which is used isn't locked during the update. After a succesfull signature check an external program is able to change the .mar file. Essentially it is possible to pass an arbitary .mar file to the updater.

The following poc does a downgrade of firefox 22 to firefox 20 with a manipulated .mar file with the maintainservice. A downgrade is of course only the easiest way to show the bug. The python script in the poc directory changes the version info of the mar file from 22 to 26 and back in a loop. The poc succeed if while VerifySignature() the version info is 22 and while VerifyProductInformation() the version info is 26.

poc steps:

0.) you need an installed firefox 22
1.) download the poc.zip an extract the directory
2.) download "http://releases.mozilla.org/pub/mozilla.org/firefox/releases/20.0/update/win32/de/firefox-20.0.complete.mar" in the poc directory and name it "update.mar".
3.) copy the updater from the firefox directory to the poc directory
4.) alter paths in the start.bat and the poc.py to your paths
5.) start the python script
6.) start the bat file

On my system after a minute the downgrade was successful.

I have tested the poc with ff 22.0 with win7. In my virtual machine with win7 the poc doesen't work.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.