739343 - (CVE-2011-3671) Use After Free in nsHTMLSelectElement (ZDI-CAN-1301)

Status: VERIFIED FIXED

(Core :: General, defect)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

ZDI-CAN-1301: Mozilla Firefox nsHTMLSelectElement Remote Code
Execution Vulnerability


-- CVSS -----------------------------------------

7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P


-- ABSTRACT -------------------------------------

TippingPoint has identified a vulnerability affecting the following
products:

  Mozilla Firefox


-- VULNERABILITY DETAILS ------------------------

Version(s)  tested: Mozilla Firefox v4.0
Platform(s) tested: XP SP3

Object is used after free. A vtable pointer within the object is
referenced at 1043781c (mov eax, dword ptr [edx+44h]) and the value
fetched from the table is jumped to at 1043781f (call eax).

Code surrounding vulnerability:

10437812 7408 je xul!nsINode::ReplaceOrInsertBefore+0x39820c (1043781c)
10437814 8b4250 mov eax,dword ptr [edx+50h]
10437817 53 push ebx
10437818 ffd0 call eax
1043781a eb05 jmp xul!nsINode::ReplaceOrInsertBefore+0x398211 (10437821)
1043781c 8b4244 mov eax,dword ptr [edx+44h] ds:0023:41414185=????????
 //vulnerable deref
1043781f ffd0 call eax //call to vulnerable deref

With heap spray, EIP is controlled:

(374.518): Access violation - code c0000005 (!!! second chance !!!)
eax=0c0c0c0c ebx=00000000 ecx=0426a600 edx=0c0c0c0c esi=0426a600
edi=043e1940
eip=0c0c0c0c esp=0012cbb0 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
0c0c0c0c 0c0c or al,0Ch

0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012cbac 10437821 0xc0c0c0c
0012cbdc 1010ca1a xul!nsINode::ReplaceOrInsertBefore+0x398211
0012cc48 1055eb86 xul!nsCOMPtr_base::assign_from_qi+0x2a
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\xpcom\build\nscomptr.cpp
98]
0012cc50 1057a744
xul!nsCOMPtr<nsIDOMHTMLOptionElement>::nsCOMPtr<nsIDOMHTMLOptionElement>+0x18
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\dist\include\nscomptr.h
596]
0012cc74 10962eb5 xul!nsHTMLOptionCollection::Add+0x8c
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\html\content\src\nshtmlselectelement.cpp
2286]
0012ccac 00535221 xul!nsIDOMNSHTMLOptionCollection_Add+0xf2
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\js\src\xpconnect\src\dom_quickstubs.cpp
20899]
0012d288 0052cb31 mozjs!js::Interpret+0x6331
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 4801]
0012d2bc 0052cf51 mozjs!js::RunScript+0xb1
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 653]
0012d314 0052d72c mozjs!js::Invoke+0x3b1
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 740]
0012d350 004ed4cf mozjs!js::ExternalInvoke+0x1dc
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 863]
0012d384 10176229 mozjs!JS_CallFunctionValue+0x4f
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsapi.cpp 5174]
0012d44c 10192a2b xul!nsJSContext::CallEventHandler+0x2b9
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\dom\base\nsjsenvironment.cpp
1915]
0012d548 101a4ca2 xul!nsJSEventListener::HandleEvent+0x11b
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\dom\src\events\nsjseventlistener.cpp
230]
0012d634 1013acbe xul!nsEventListenerManager::HandleEventSubType+0x36
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventlistenermanager.cpp
1127]
0012d688 10125c72
xul!nsEventListenerManager::HandleEventInternal+0x2ce
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventlistenermanager.cpp
1224]
0012d6d4 1010ad14
xul!nsEventTargetChainItem::HandleEventTargetChain+0x2d2
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventdispatcher.cpp
341]
0012d774 101a57d0 xul!nsEventDispatcher::Dispatch+0x484
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventdispatcher.cpp
632]
0012d7ec 101a5997 xul!DocumentViewerImpl::LoadComplete+0x109
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\layout\base\nsdocumentviewer.cpp
1055]
0012d9d8 10095a63 xul!nsDocShell::EndPageLoad+0xbd
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\docshell\base\nsdocshell.cpp
6087]
0012da28 100c9413 xul!nsDocShell::OnStateChange+0xc5
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\docshell\base\nsdocshell.cpp
5938]
0012da6c 10024d53 xul!nsDocLoader::FireOnStateChange+0x133
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
1334]
0012da80 10195e5b xul!nsDocLoader::doStopDocumentLoad+0x1c
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
953]
00000000 00000000 xul!nsDocLoader::DocLoaderIsEmpty+0x1cb
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
@ 820]



With heap spray removed:

eax=06860800 ebx=00000000 ecx=06913300 edx=41414141 esi=06913300
edi=07f7a7c0
eip=1043781c esp=0012cbb4 ebp=00000001 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
xul!nsINode::ReplaceOrInsertBefore+0x39820c:
1043781c 8b4244 mov eax,dword ptr [edx+44h] ds:0023:41414185=????????

0:000> k
ChildEBP RetAddr
0012cbdc 1010ca1a xul!nsINode::ReplaceOrInsertBefore+0x39820c
0012cc48 1055eb86 xul!nsCOMPtr_base::assign_from_qi+0x2a
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\xpcom\build\nscomptr.cpp
98]
0012cc50 1057a744
xul!nsCOMPtr<nsIDOMHTMLOptionElement>::nsCOMPtr<nsIDOMHTMLOptionElement>+0x18
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\dist\include\nscomptr.h
596]
0012cc74 10962eb5 xul!nsHTMLOptionCollection::Add+0x8c
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\html\content\src\nshtmlselectelement.cpp
2286]
0012ccac 01695221 xul!nsIDOMNSHTMLOptionCollection_Add+0xf2
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\obj-firefox\js\src\xpconnect\src\dom_quickstubs.cpp
20899]
0012d288 0168cb31 mozjs!js::Interpret+0x6331
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 4801]
0012d2bc 0168cf51 mozjs!js::RunScript+0xb1
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 653]
0012d314 0168d72c mozjs!js::Invoke+0x3b1
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 740]
0012d350 0164d4cf mozjs!js::ExternalInvoke+0x1dc
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsinterp.cpp 863]
0012d384 10176229 mozjs!JS_CallFunctionValue+0x4f
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\js\src\jsapi.cpp 5174]
0012d44c 10192a2b xul!nsJSContext::CallEventHandler+0x2b9
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\dom\base\nsjsenvironment.cpp
1915]
0012d548 101a4ca2 xul!nsJSEventListener::HandleEvent+0x11b
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\dom\src\events\nsjseventlistener.cpp
230]
0012d634 1013acbe xul!nsEventListenerManager::HandleEventSubType+0x36
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventlistenermanager.cpp
1127]
0012d688 10125c72
xul!nsEventListenerManager::HandleEventInternal+0x2ce
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventlistenermanager.cpp
1224]
0012d6d4 1010ad14
xul!nsEventTargetChainItem::HandleEventTargetChain+0x2d2
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventdispatcher.cpp
341]
0012d774 101a57d0 xul!nsEventDispatcher::Dispatch+0x484
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\content\events\src\nseventdispatcher.cpp
632]
0012d7ec 101a5997 xul!DocumentViewerImpl::LoadComplete+0x109
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\layout\base\nsdocumentviewer.cpp
1055]
0012d9d8 10095a63 xul!nsDocShell::EndPageLoad+0xbd
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\docshell\base\nsdocshell.cpp
6087]
0012da28 100c9413 xul!nsDocShell::OnStateChange+0xc5
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\docshell\base\nsdocshell.cpp
5938]
0012da6c 10024d53 xul!nsDocLoader::FireOnStateChange+0x133
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
1334]
0012da80 10195e5b xul!nsDocLoader::doStopDocumentLoad+0x1c
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
953]
00000000 00000000 xul!nsDocLoader::DocLoaderIsEmpty+0x1cb
[e:\builds\moz2_slave\rel-2.0-w32-bld\build\uriloader\base\nsdocloader.cpp
@ 820]



-- CREDIT ---------------------------------------

This vulnerability was discovered by:

   regenrecht

-- FURTHER DETAILS ------------------------------

If supporting files were contained with this report they are provided
within a password protected ZIP file. The password is the ZDI
candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to
remediate ZDI vulnerabilities within 180 days of the reported date. If
you are ready to release a patch at any point leading up the the
deadline please coordinate with us so that we may release our advisory
detailing the issue. If the 180 day deadline is reached and no patch
has been made available we will release a limited public advisory with
our own mitigations so that the public can protect themselves in the
absence of a patch. Please keep us updated regarding the status of
this issue and feel free to contact us at any time:

Derek Brown
Security Liaison
Zero Day Initiative
zdi-disclosures@tippingpoint.com

The PGP key used for all ZDI vendor communications is available from:

     http://www.zerodayinitiative.com/documents/zdi-pgp-key.asc

-- INFORMATION ABOUT THE ZDI ---------------------

Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for
responsibly disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until an
official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Please contact us for further information or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ----------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

Comment 1

[Benjamin Smedberg]

Curtis, did they provide a testcase with the email? And do we know why they are testing against Firefox 4?

Comment 3

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Benjamin, sorry for the delay I got the PoC they sent decrypted then unzipped and now attached.

Comment 4

[Daniel Veditz [:dveditz]]

(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> And do we know why they are testing against Firefox 4?

Their original report apparently got lost around the holidays, but others they reported around that time were ZDI-CAN-14xx and filed against Firefox 8/9. Given the much earlier number I'm guessing this was originally filed by regenrecht when Firefox 4 was the current version. I have no idea why they held on to it until December.

Comment 5

[Daniel Veditz [:dveditz]]

On a Mac I crash in 4.0.1 and 8.0.1 and do not crash in 9.0.1
bp-935999fe-d705-43dc-b4a0-ac0fe2120326
bp-cbabbca7-12cc-4101-841f-2bf222120326
bp-e71ff3e8-eb39-4c5c-bd46-ebc782120326

Comment 6

[Mats Palmgren (inactive)]

On Windows XP, I crash in 8.0.1 but not in 9.0

Bug 711616, fixed in that range, mentions some ownership problem with
nsHTMLOptionCollection.

Comment 7

[Mats Palmgren (inactive)]

It was fixed for Linux x86-64 mozilla-central builds in this range: 
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58c04967ac5b&tochange=0a936ddb70e9

There's a mozilla-inbound built on rev 7a21ce9c4482 that crashes,
which is just before the merge.  So, bug 335998 "strong parentNode"
seems very likely to have fixed it.

Comment 8

[Daniel Veditz [:dveditz]]

Thanks for the investigation, Mats.

fwiw this does not crash 3.6.28 either.

Comment 9

[Al Billings [:abillings - ex-MoCo]]

Marking this as verified since everyone else forgot to do so when verifying. :-)