Full Disclosure mailing list archives

By Date By Thread Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Wed, 28 Oct 2015 20:04:23 +0100

Hi @ll, Mozilla's (executable) full setup packages for Windows allow arbitrary code execution resp. escalation of privilege: their SETUP.EXE loads SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\" created during self-extraction of the full setup packages. This vulnerability is well-known, every developer past absolute beginner should know about it: <https://capec.mitre.org/data/definitions/471.html> See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all the trouble Mozilla's developers went through to fix this vulnerability in the 7zip self-extractor. See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for this vulnerability in their maintenance_installer.exe. Proof of concept: ~~~~~~~~~~~~~~~~~ 1. fetch any Mozilla full setup package (these are self-extracting archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe" from <https://www.mozilla.org/en-US/firefox/organizations/all/> 2. extract this full setup package into an arbitrary directory, for example "%TEMP%\7zSxyz.tmp", using (again for example) 7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe" 3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html>) and save it as "%TEMP%\7zSxyz.tmp\shfolder.dll" 4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click: the installer detection of Windows user account control (see <https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>) will chime in and prompt for consent resp. for an administrator password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box Mitigation(s): ~~~~~~~~~~~~~~ 0. DON'T USE EXECUTABLE INSTALLERS [²]! If your favourite applications are not distributed in the native installer package format of the resp. target OS: ask^WURGE their vendors/developers to provide native installation packages. If they don't: dump these applications, stay away from such software! 1. Turn off privilege elevation for standard users and installer detection for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests "EnableInstallerDetection"=dword:00000000 See <https://technet.microsoft.com/en-us/library/dd835564.aspx> 2. deny execution in all "%TEMP%" directories and their subdirectories: * add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories" (use CACLS.EXE /SDDL for example); * use "software restriction policies" resp. AppLocker. stay tuned Stefan Kanthak PS: Mozilla sits on this unfixed vulnerability for about 30 months: see <https://bugzilla.mozilla.org/show_bug.cgi?id=861012> ['] SHFOLDER.DLL is cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4; see <https://support.microsoft.com/en-us/kb/241733> DONT USE the code shown in this MSKB article! See <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <https://technet.microsoft.com/en-us/library/2269637.aspx> [²] self-extracting archives and executable installers are flawed^W insanely stupid in concept and dangerous in practice. DON'T USE SUCH CRUFT! ALWAYS use the resp. platforms native package and archive format. For Windows these are .INF (plus .CAB) and .MSI (plus .CAB), introduced 20 years ago (with Windows 95 and Windows NT4) resp. 16 years ago (with Office 2000). Both .INF and .MSI are "opened" by programs residing in %SystemRoot%\System32\ which are therefore immune to this kind of "DLL (and EXE) Search Order Hijacking" attack. Since both .INF and .MSI can access the contents of .CAB directly they eliminate the attack vector "unsafe temporary directory" too. See <http://home.arcor.de/skanthak/temp/FIREFOX.INF> and <http://home.arcor.de/skanthak/temp/FIREFOX.DDF> as example of a native installer package for "Firefox 38.3.0 ESR (x86 de)": 1.a. create FIREFOX.CAB from the unpacked full setup package (see above; I used the german language version): run the command line MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF 1.b. create FIREFOX.CAB from the copy installed on your system: run the command line MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF 2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and then click "Install", or run the command line InfDefaultInstall.Exe "<path>\FIREFOX.INF" resp. RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE Stefan Kanthak (Oct 30)