oss-sec mailing list archives

CVE request for Mozilla Firefox (Windows)

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 10 Jul 2013 20:56:57 +0200

The installer of Mozilla Firefox writes the following command line
with unquoted spaces for uninstallation into the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 22.0 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe"

See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>,
<https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=868746>

Due to a well-known and well-documented idiosyncrasy of Windows'
CreateProcess() API this can result in the execution of a rogue
program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the
privileges of the caller.
Since the caller of this command line typically has administrative
rights this vulnerability can lead to a privilege escalation.

Affected versions: all current releases.

Fixed version: 23.0.

Stefan Kanthak

Current thread:

CVE request for Mozilla Firefox (Windows) Stefan Kanthak (Jul 10)
- Re: CVE request for Mozilla Firefox (Windows) Kurt Seifried (Jul 10)