他人の空似自作物置場

FirefoxとThunderbirdのPoC

https://resemblances.click3.org/?p=1920



Summary:
Hazardous installation process with unprotected temporary folder.


Description:
In Windows, the installer uses the following temporary folder.
example: C:\Users\#{UserName}\AppData\Local\Temp\7zS09DA3A19

Temporary folders are not protected and can be rewritten with user authority. In addition the installer operates with privileges.

Replacing maintenanceservice_installer.exe with an attack file will be executed with privileges by the installer. The signature of maintenanceservice_installer.exe will never be verified.

As additional information, none of the files to be copied to Program Files is also checked. So you can gain privileges by DLL Injection.

From the above it can be considered that there are three problems.
* The temporary folder is not protected.
* maintenanceservice_installer.exe to be executed without signature verification.
* Copying to Program Files is done without check.


Steps to Reproduce:
* Launch Installer.
* Find a temporary folder.
* Replace maintenanceservice_installer.exe.
* Continue installation process.


Actual Results:
Replaced exe is executed.


Expected Results:
Nothing happens or installation fails.


Probability of reproduced:
10/10


Version confirmed to reproduced:
It is reproduced perfectly at 12.0 and above, and writing to Program Files at 2.0.0.0 and above seems to be successful.

We surveyed as follows.

Completely attacked:
65.0.2
65.0
16.0
15.0.1
14.0.1
13.0
12.0

You can write to Program Files:
11.0
10.0.2
6.0.1
3.6.14
3.0.15
2.0

You can write to a temporary file:
1.5.0.12


Additional Builds and Platforms:
Not investigated. It probably does not occur because it depends strongly on the mechanism of windows


Proposed amendment:
One of the following.
* After obtaining privilege, expand the file to protected folder.
* Check the signature of maintenanceservice_installer.exe and check whether the copy to Program Files is also tampered.


Workarround:
Do not use vulnerable installer.