Mozilla Foundation Security Advisory 2015-84

Arbitrary file overwriting through Mozilla Maintenance Service with hard links

Announced
August 11, 2015
Reporter
James Forshaw
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird
Fixed in
  • Firefox 40
  • Firefox ESR 38.2
  • SeaMonkey 2.35
  • Thunderbird 38.2

Description

Security researcher James Forshaw, security researcher with Google Project Zero, reported that the Mozilla Maintenance Service on Windows can be made to write its log file in a restricted location with an arbitrary file name through the use of a hard link by means of a race condition. This can allow the log file to overwrite another named file that a user would not have the privileges to change. If the overwritten file is used as source input or script by a program with elevated privileges, it could allow for an escalation of privilege attack. This requires local file system access and the ability to execute local programs to be exploitable.

This issue only affects Windows systems. OS X and Linux operating systems are unaffected.

References