Vigil@nce - Mozilla Firefox, Thunderbird, Seamonkey: privilege escalation via the uninstaller
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the uninstaller of Mozilla Firefox,
Thunderbird, Seamonkey, in order to escalate his privileges.
Impacted products: Firefox, SeaMonkey, Thunderbird
Severity: 2/4
Creation date: 15/07/2013
DESCRIPTION OF THE VULNERABILITY
When one of the Mozilla product Firefox, Thunderbird, Seamonkey is
installed, an uninstaller is also created and the command line
that should be used to start it is stored in the registry, under
the key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla
Firefox 22.0 (x86 en-US)], in the value "UninstallString" whith
the content like "C:\Program Files\Mozilla
Firefox\uninstall\helper.exe".
However, because the value is unquoted, there are ambiguities
about what is the program path and what are the arguments.
According the the Windows version, trying to uninstall the product
may run the true installer or instead "c:\program.exe" or
"c:\program files\mozilla.exe".
An attacker can therefore use the uninstaller of Mozilla Firefox,
Thunderbird, Seamonkey, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN