Mozilla Maintenance Service Write-lock bypass Vulnerability
A vulnerability in the Mozilla Maintenance Service (CVE-2023-29532) allows a local attacker to trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service to an update file on a malicious SMB server. This allows privilege escalation to the LocalSystem account. The vulnerability has been fixed in Firefox 112, Firefox ESR 102.10, and Thunderbird 102.10.
Firefox and Thunderbird offer an optional feature, enabled by default, known as the Mozilla Maintenance Service, which allows application updates to be performed in the background without user interaction.
During the Mozilla Maintenance Service update process, update data is retrieved via a user-defined path pointing to a mar archive. It is important that only mar files from trusted sources are used, so a signature check is performed. This check only works as intended if the contents of the mar file remain unchanged, because the file is accessed twice - once for the signature check and once for the actual update.
Although the mar file is only opened once and then write-locked, this protection is insufficient if the file is retrieved from a malicious SMB server. After the initial reading of the mar file for signature verification, a malicious SMB server can provide a completely different mar file for the actual update.
The issue can be exploited on Microsoft Windows to escalate privileges to the LocalSystem account, under which the service is running. To do this, it is necessary to downgrade to an old and manipulated version of Firefox via the vulnerability. This manipulated version can then be used in conjunction with the Mozilla Maintenance Service to load a malicious library during an update.
Holger Fuhrmannek (firstname.lastname@example.org)