oss-sec mailing list archives

Re: CVE request for Mozilla Thunderbird (Windows)

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 10 Jul 2013 13:46:20 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/10/2013 12:59 PM, Stefan Kanthak wrote:

The installer of Mozilla Thunderbird writes the following command line
with unquoted spaces for uninstallation into the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe"

See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>,
<https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=868746>

Due to a well-known and well-documented idiosyncrasy of Windows'
CreateProcess() API this can result in the execution of a rogue
program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the
privileges of the caller.
Since the caller of this command line typically has administrative
rights this vulnerability can lead to a privilege escalation.

Affected versions: all current releases.

Fixed version: ?

Stefan Kanthak


Mozilla is a CNA (http://cve.mitre.org/cve/cna.html) so they'll need
to handle this one. Adding them to CC.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR3boMAAoJEBYNRVNeJnmTAL8QAM+JVRhIFM0La55vt0z3XzG7
wcjoe+2oF6Y1qI5vDP0t/1SAj9yBCBEWixKrLnkeKFpOT5+SKUy+kUl3Of+u25w5
52oY8p9AmcYCuf0EaI+8BMvtC1QhDkH3h9zUS8VVzyg6V+8f1Lwby59aaTT+9XY1
OEDZ86kMnR19KV0iglb2dajrMlaepXJhls+uZWCxEiTbgvDLIgm5Gwq8GWOxztGa
dqck2CyvJOdoa7Z0SoGEKYktfImsEgPfIwsJPP9+OChbHjF8yMkQzW6jnhTGsxUF
yEH+JWsqJh2NxZzEukYvZ7hiBAvLLLJf+5BD6XHeo2QDJv7R/zugbcgJqkrho48Y
NDgykkiJqY5FAFrqecaI96HQj/o4BsnzBHOQMjRwaH0CjpNES/Q7DBVX1Oapz1OS
welco9LqsyjPiCDEJJ9c34Ysk3666KJH68WE/pFftAhqnIXuyyh8fylUn0LsKWY8
HGKmgILTGtJBKu0J0FgF+hOiqI/nWcAJSSTwSVm6nLHx5r6wDX44A/YMO+rOp+GS
NpAjbV8EWN2sws9gm7CSKMR1M8kYhxHpbVGuDiSlQvMI9YtVr6pNXg6uf/5+BKag
XrJ8EQ1WCrHu/3h4DVanvI/xUzJNqcoigW0cRKMGB34S6JDoJKMu4a6rgRcJEAB7
4yvTghlVWdAxASrtmCCT
=luq9
-----END PGP SIGNATURE-----

Current thread:

CVE request for Mozilla Thunderbird (Windows) Stefan Kanthak (Jul 10)
- Re: CVE request for Mozilla Thunderbird (Windows) Kurt Seifried (Jul 10)