Application update uses CA and URL details from preferences

RESOLVED WONTFIX

Status

()

Toolkit
Application Update
--
major
RESOLVED WONTFIX
4 years ago
2 years ago

People

(Reporter: manishearth, Unassigned)

Tracking

({sec-moderate})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Currently, the application updater uses a URL from the preferences and validates against a CA in the preferences[1].

I see the need for this; different browser releases (aurora, nightly, custom builds) may want their own update servers.

However, preferences can be edited without root permissions. I could theoretically set a victim's firefox to use my own update server with 20 seconds of *non root* access to the machine, with a keyboard and nothing else. With this I can put in any exploit I want.

Shouldn't the URL and details of SSL certificate for updating be in a more locked down place? (Ideally hardcoded strings would be nice, but that creates issues with custom builds, and besides it would be easier to just replace/patch the FF binary if you have that kind of access)

There probably are more security-related prefs that should be root-protected as well.


 [1]: http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/nsUpdateService.js
(Reporter)

Updated

4 years ago
Keywords: sec-moderate
(Reporter)

Comment 1

4 years ago
Additionally, this pref seems to be per-profile/per-user. However, IIRC updating is global.

Wouldn't it be possible for a non-root user to tweak this pref and wait for an update?

Or is this pref only for addons? (It doesn't seem to be, but I would need to check the code thoroughly)

Comment 2

4 years ago
(In reply to Manish Goregaokar [:manishearth] from comment #1)
> Additionally, this pref seems to be per-profile/per-user. However, IIRC
> updating is global.

This alone seems like an argument enough to move this and other application update prefs into their own file in the application installation dir. If the application is properly installed then non-root users won't be able to change it, but it'd still be trivial to find and modify for those who actually need to.
(Reporter)

Comment 3

4 years ago
(In reply to Dave Garrett from comment #2)
> This alone seems like an argument enough to move this and other application
> update prefs into their own file in the application installation dir. If the
> application is properly installed then non-root users won't be able to
> change it, but it'd still be trivial to find and modify for those who
> actually need to.

On thinking about this further, this doesn't make as much sense, if there are two users on the system, where will FF get its update info from if the prefs conflict? Maybe these prefs are only for addons.

However, I'd like to see where the update URL and CA details are stored for the actual application update.
The SSL certificate check was added to mitigate mitm attacks and not attacks on systems that have already been compromised. The longer term solution is to implement mar signing which is implemented on Windows where we no longer check the SSL certificate and we have patches close to landing for Mac and Linux where we will remove the SSL certificate checks after they have landed. I'd provide bug numbers but I am away from home on a mobile device.
Comment hidden (obsolete)
Depends on: 920750, 1151485
OS: All → Linux
The cert check is now disabled on Windows, Mac, and Linux and Bug 1182352 will remove the cert check code from app update.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Depends on: 1182352
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.