The Bug: A Classic Rollback Attackįirefox’s Windows installer allows users to customize the Firefox installation directory. So, I decided to check that, and it worked. If that’s the case, then a version rollback attack may be used to bypass the fix. One day I read the “Mozilla Foundation Security Advisory 2019-25,” and one bug caught my attention: “ CVE-2019-11753: Privilege escalation with Mozilla Maintenance Service in custom Firefox installation location.” The description mentioned that a privilege escalation was caused “due to a lack of integrity checks.” My past experience taught me that maybe the fix was to check digital signatures only. It was reported on Mozilla Bugzilla Bug 1643199. This vulnerability is assigned CVE-2020-15663. While the specific vulnerability only works on Windows, this is not really because of any Windows-specific issue but rather about how Mozilla validated trust in files it operated on with privileged components.
This blog post is about a vulnerability I found in the Mozilla Maintenance Service on Windows that allows an attacker to elevate privileges from a standard user account to SYSTEM. This blog post is the first of several guest blog posts we’ll be publishing, where we invite participants of our bug bounty program to write about bugs they’ve reported to us.
0 kommentar(er)
