Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE

From: Stefan Kanthak <>
Subject: Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE

Hi @ll,

Mozilla's (executable) full setup packages for Windows allow arbitrary
code execution resp. escalation of privilege: their SETUP.EXE loads
SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\"
created during self-extraction of the full setup packages.

This vulnerability is well-known, every developer past absolute beginner
should know about it: <>

See <> for all the
trouble Mozilla's developers went through to fix this vulnerability in
the 7zip self-extractor.
See <> for this
vulnerability in their maintenance_installer.exe.

Proof of concept:

1. fetch any Mozilla full setup package (these are self-extracting
   archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe"
   from <>

2. extract this full setup package into an arbitrary directory, for
   example "%TEMP%\7zSxyz.tmp", using (again for example)
      7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe"

3. fetch <>
   (see <>) and save it
   as "%TEMP%\7zSxyz.tmp\shfolder.dll"

4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click:
   the installer detection of Windows user account control (see
   will chime in and prompt for consent resp. for an administrator
   password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads
   "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box



   If your favourite applications are not distributed in the native
   installer package format of the resp. target OS: ask^WURGE their
   vendors/developers to provide native installation packages.
   If they don't: dump these applications, stay away from such software!

1. Turn off privilege elevation for standard users and installer
   detection for all users:

   "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests

   See <>

2. deny execution in all "%TEMP%" directories and their subdirectories:

   * add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
     files in this directory for everyone, inheritable to all files
     in all subdirectories" (use CACLS.EXE /SDDL for example);

   * use "software restriction policies" resp. AppLocker.

stay tuned
Stefan Kanthak

PS: Mozilla sits on this unfixed vulnerability for about 30 months:
    see <>

['] SHFOLDER.DLL is cruft from the last millennium, it was used on
    Windows 9x without Internet Explorer 4; see

    DONT USE the code shown in this MSKB article!

    See <>,
    <> and

[] self-extracting archives and executable installers are flawed^W
    insanely stupid in concept and dangerous in practice.

    ALWAYS use the resp. platforms native package and archive format.

    For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),
    introduced 20 years ago (with Windows 95 and Windows NT4) resp.
    16 years ago (with Office 2000).

    Both .INF and .MSI are "opened" by programs residing in
    %SystemRoot%\System32\ which are therefore immune to this kind of
    "DLL (and EXE) Search Order Hijacking" attack.
    Since both .INF and .MSI can access the contents of .CAB directly
    they eliminate the attack vector "unsafe temporary directory" too.

    See <> and
    <> as example of a
    native installer package for "Firefox 38.3.0 ESR (x86 de)":

    1.a. create FIREFOX.CAB from the unpacked full setup package
         (see above; I used the german language version): run the
         command line
           MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF

    1.b. create FIREFOX.CAB from the copy installed on your system:
         run the command line
           MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF

    2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and
       then click "Install", or run the command line
           InfDefaultInstall.Exe "<path>\FIREFOX.INF"
           RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF

Copyright © 1995-2020 All rights reserved.