Closed Bug 1559845 Opened 7 years ago Closed 7 years ago

Firefox breakout observed in the wild

Categories

(Core :: JavaScript Engine: JIT, task)

task
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 67+ fixed
firefox67 blocking fixed
firefox68 blocking fixed
firefox69 blocking fixed

People

(Reporter: hayden, Assigned: jandem)

References

Details

(Keywords: reporter-external, sec-critical, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(2 files)

Attached file 0day.js (obsolete) —

Today we received a targeted phishing attack against some employees that appears to exploit the latest version of firefox on OSX (67?) and escapes the sandbox to gain execution on the machine.

Our endpoint detection tooling shows that the malicious page caused firefox to shell out a curl command that downloaded and ran the actual malware payload.

I've attached the payload that we believe contains the exploit code. I can attach the full HTTP session from our investigation as well.

Flags: sec-bounty?

At first glance this looks like a JIT issue, though there's some references to DocShell. We ultimately need to find two bugs (at least) in here: the initial exploit and then how they escaped the sandbox to download their curl payload

Group: firefox-core-security → core-security
Component: Security → JavaScript Engine: JIT
Product: Firefox → Core
Attachment #9072576 - Attachment mime type: text/xml → text/plain
Assignee: nobody → jdemooij
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Group: core-security → javascript-core-security
Attached file exploit main.js

This version of the exploit doesn't contain remote URLs. It basically reloads itself with the first line modified containing (const TYPE = 'worker' or 'final'). You need to create these two copies to fully reproduce.

Attached file Shell testcase

Repros for me in the JS shell on rev 51deb82b686d, before the fix for bug 1544386 landed, not on the next rev with the fix. Testcase also has similar array.pop() calls.

The Sandbox escape happens by reloading itself as a modal window (which the Prompt:Open message provides). This gives you a process switch to the parent. From there, the attacker can just launch the exploit again.
E.g.,
docShell.messageManager.sendAsyncMessage("Prompt:Open", {uri: "XXX own source code again here"});.

Discussing the Sandbox escape is in bug 1559858 now.

Requested mozilla-release approval for bug 1544386.

Depends on: CVE-2019-11707

Note: the tests in this bug do not repro on ESR60 (but ESR is definitely vulnerable). The test in bug 1544386 comment 0 repros and the patch fixes it.

No longer blocks: CVE-2019-11708
Depends on: CVE-2019-11708

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b46f3ba0c766
user: Jan de Mooij
date: Sat May 12 11:46:51 2018 +0200
summary: Bug 1460381 - Support sealed and non-extensible dense elements on native objects. r=anba

For reference, both decoder's and Jan's attached shell testcases bisect to this particular changeset, since it uses .seal, however, the underlying cause may be something else.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #10)

autobisectjs shows this is probably related to the following changeset:

It's only related in that we used to deoptimize all dense elements when sealing an object - so we'd never hit the buggy code before that change. That's just an 'implementation detail' of this particular exploit and not required to trigger the bug (see bug 1544386).

Our CISO Philip is planning on tweeting a little more information about the attack we saw, including IOCs, and plans to disclose that there is a separate sandbox escape that exists right now. Please let me know if there are any concerns with this.

(In reply to Hayden Parker from comment #12)

Our CISO Philip is planning on tweeting a little more information about the attack we saw, including IOCs, and plans to disclose that there is a separate sandbox escape that exists right now. Please let me know if there are any concerns with this.

Bugzilla is probably not an ideal method for discussing this. Emailing security@mozilla.org would be better. I think we'd prefer to not publicly discuss the sandbox escape until we have finalized our patch for the issue and shipped the fix in a release. It will draw further attention to the issue by potential hackers if discussed before this.

Flags: needinfo?(hayden)

Discussion moved to security@ email.

We have bugs filed for the two sub problems, but I think it makes sense to mark this sec-critical.

Keywords: sec-critical

Fixed by bug 1544386 and bug 1559858.

Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Flags: needinfo?(hayden)

Hey team,

A couple questions.

So far we're only seeing this exploit code work on OSX. Can you confirm that the vulnerability does not impact windows users?

Second, in the getOffsets function of the exploit code I send over, I see a check for version 66 of Firefox. Was version 66 affected by this?

Thanks for all the help.

The actual exploit might only work on certain versions and OSes, but the two underlying flaws the exploit took advantage of look like they affected all versions at least back to 60, and probably further back, and all operating systems, so presumably some variant of the exploit could be made to work.

Flags: sec-bounty?
Group: javascript-core-security → core-security-release
Severity: normal → major
Attachment #9072585 - Attachment mime type: application/x-javascript → text/plain
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: