Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CBC10B96B9C94D30B669358EE2407DAC@celsius>
Date: Wed, 10 Jul 2013 20:59:10 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <oss-security@...ts.openwall.com>
Subject: CVE request for Mozilla Thunderbird (Windows)

The installer of Mozilla Thunderbird writes the following command line
with unquoted spaces for uninstallation into the Windows registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 17.0.5 (x86 en-US)]
"UninstallString"="C:\\Program Files\\Mozilla Thunderbird\\uninstall\\helper.exe"

See <https://bugzilla.mozilla.org/show_bug.cgi?id=871084>,
<https://bugzilla.mozilla.org/show_bug.cgi?id=786407> and
<https://bugzilla.mozilla.org/show_bug.cgi?id=868746>

Due to a well-known and well-documented idiosyncrasy of Windows'
CreateProcess() API this can result in the execution of a rogue
program "C:\Program.exe" or "C:\Program Files\Mozilla.exe" with the
privileges of the caller.
Since the caller of this command line typically has administrative
rights this vulnerability can lead to a privilege escalation.

Affected versions: all current releases.

Fixed version: ?

Stefan Kanthak

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.