[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Mozilla's MSI installers: FUBAR (that's spelled "fucked-up beyond all repair")
From: "Stefan Kanthak" <stefan.kanthak () nexgo ! de>
Date: 2019-07-09 21:00:57
Message-ID: F20E042B06904ECF99AF3626847A4E62 () H270
[Download RAW message or body]
Hi @ll,
Mozilla finally provides MSI installers for their just released
Firefox 68 and Firefox 68 ESR for Windows:
<https://archive.mozilla.org/pub/firefox/releases/68.0/win32/de/Firefox%20Setup%2068.0.msi>
<https://archive.mozilla.org/pub/firefox/releases/68.0esr/win32/de/Firefox%20Setup%2068.0esr.msi>
These MSI installers are but DEFECTIVE, VULNERABLE and a bluff:
Mozilla just wrapped their (UPX-compressed) 7-zip self-extractors,
which unpack the final NSIS installer to %TEMP% and run it from
there, preserving but all their already reported deficiencies and
vulnerabilities: see (among others)
<https://seclists.org/fulldisclosure/2018/Feb/58>
<https://seclists.org/fulldisclosure/2016/Jun/27>
Demonstration:
~~~~~~~~~~~~~~
In the user account created during Windows setup, add the NTFS
ACL "(D;OIIO;WP;;;WD)" meaning "deny execution of files for
everybody, inheritable to files in all subdirectories" to your
%TEMP%\ directory, then run the MSI installer.
As soon as the error dialog "7-Zip: (x) Access Denied!" is shown
peek into %SystemRoot%\Installer\ and your %TEMP%\ directory:
- the most recent "%SystemRoot%\Installer\MSI<4 hex digits>.tmp"
is the UPX-compressed 7-zip self-extractor which is wrapped in
the bogus MSI installer;
- this 7-zip self-extractor is run (elevated!) with the following
command line:
MSI*.tmp /S /TaskbarShortcut=true /DesktopShortcut=true /StartMenuShortcut=true /MaintenanceService=true
/RemoveDistribution=true /PreventRebootRequired=false /OptionalExtensions=true /LaunchedFromMSI
- it creates an UNPROTECTED subdirectory %TEMP%\7zS<8 hex digits>\
which inherits the NTFS ACL from its parent %TEMP%\, thus
granting full access for the (unprivileged) user account, who
can tamper with the extracted files in any way, then runs (here:
tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe"
elevated.
stay tuned, and FAR away from Mozilla's crap!
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic