Mar file not locked during update

RESOLVED DUPLICATE of bug 890853

Status

()

RESOLVED DUPLICATE of bug 890853
5 years ago
5 years ago

People

(Reporter: hofusec, Unassigned)

Tracking

22 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
The updater has a "Time of check to time of use" bug. It is possible to bypass the signature check in the updater because the .mar file which is used isn't locked during the update. After a succesfull signature check an external program is able to change the .mar file. Essentially it is possible to pass an arbitary .mar file to the updater.

The following poc does a downgrade of firefox 22 to firefox 20 with a manipulated .mar file with the maintainservice. A downgrade is of course only the easiest way to show the bug. The python script in the poc directory changes the version info of the mar file from 22 to 26 and back in a loop. The poc succeed if while VerifySignature() the version info is 22 and while VerifyProductInformation() the version info is 26.

poc steps:

0.) you need an installed firefox 22
1.) download the poc.zip an extract the directory
2.) download "http://releases.mozilla.org/pub/mozilla.org/firefox/releases/20.0/update/win32/de/firefox-20.0.complete.mar" in the poc directory and name it "update.mar".
3.) copy the updater from the firefox directory to the poc directory
4.) alter paths in the start.bat and the poc.py to your paths
5.) start the python script
6.) start the bat file

On my system after a minute the downgrade was successful.

I have tested the poc with ff 22.0 with win7. In my virtual machine with win7 the poc doesen't work.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 893008
Duplicate of bug: 890853
Group: core-security
You need to log in before you can comment on or make changes to this bug.