Closed Bug 893008 Opened 12 years ago Closed 12 years ago

Mar file not locked during update

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Version:
22 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 890853

People

(Reporter: hofusec, Assigned: bbondy)

Details

Attachments

(1 file)

poc
625 bytes, application/java-archive
Details
Attached file poc
The updater has a "Time of check to time of use" bug. It is possible to bypass the signature check in the updater because the .mar file which is used isn't locked during reading. After a succesfull signature check an external program is able to change the .mar file. Essentially it is possible to pass an arbitary .mar file to the updater. If the maintainservice is installed, it´s easy to exploit the bug (if the attacker find the right timing) because the attacker has an unlimited count of tries. The following poc does a downgrade of firefox 22 to firefox 20 with a manipulated .mar file with the maintainservice. A downgrade is of course only the easiest way to show the bug. The python script in the poc directory changes the version info of the mar file from 22 to 26 and back in a loop. The poc succeed if while VerifySignature() the version info is 22 and while VerifyProductInformation() the version info is 26. poc steps: 0.) you need an installed firefox 22 1.) download the poc.zip an extract the directory directory 2.) download "http://releases.mozilla.org/pub/mozilla.org/firefox/releases/20.0/update/win32/de/firefox-20.0.complete.mar" in the poc directory and name it "update.mar". 3.) copy the updater from the firefox directory to the poc directory 4.) alter paths in the start.bat and the poc.py to your paths 5.) start the python script 6.) start the bat file On my system after a minute the downgrade was successful. I have tested the poc with ff 22.0 with win7. With my virtual machine with win7 the poc doesen't work.
Attachment #774665 - Attachment mime type: application/octet-stream → application/java-archive
Assignee: nobody → netzen
Status: UNCONFIRMED → NEW
Ever confirmed: true
Is this just a downgrade attack? if you can replace the version number can you replace arbitrary contents and get that installed?
Flags: needinfo?(netzen)
you can make the mar file contain anything and get that extracted in secure locations, but you cannot execute something elevated from it.
Flags: needinfo?(netzen)
I think this is a dupe of bug 890853.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: