Firefox breakout observed in the wild
Categories
(Core :: JavaScript Engine: JIT, task)
Tracking
()
People
(Reporter: hayden, Assigned: jandem)
References
Details
(Keywords: reporter-external, sec-critical, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
Today we received a targeted phishing attack against some employees that appears to exploit the latest version of firefox on OSX (67?) and escapes the sandbox to gain execution on the machine.
Our endpoint detection tooling shows that the malicious page caused firefox to shell out a curl command that downloaded and ran the actual malware payload.
I've attached the payload that we believe contains the exploit code. I can attach the full HTTP session from our investigation as well.
| Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
At first glance this looks like a JIT issue, though there's some references to DocShell. We ultimately need to find two bugs (at least) in here: the initial exploit and then how they escaped the sandbox to download their curl payload
Updated•7 years ago
|
| Assignee | ||
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Comment 3•7 years ago
|
||
This version of the exploit doesn't contain remote URLs. It basically reloads itself with the first line modified containing (const TYPE = 'worker' or 'final'). You need to create these two copies to fully reproduce.
| Assignee | ||
Comment 4•7 years ago
|
||
Repros for me in the JS shell on rev 51deb82b686d, before the fix for bug 1544386 landed, not on the next rev with the fix. Testcase also has similar array.pop() calls.
Comment 5•7 years ago
|
||
The Sandbox escape happens by reloading itself as a modal window (which the Prompt:Open message provides). This gives you a process switch to the parent. From there, the attacker can just launch the exploit again.
E.g.,
docShell.messageManager.sendAsyncMessage("Prompt:Open", {uri: "XXX own source code again here"});.
Updated•7 years ago
|
Comment 6•7 years ago
•
|
||
Discussing the Sandbox escape is in bug 1559858 now.
| Assignee | ||
Comment 7•7 years ago
|
||
Requested mozilla-release approval for bug 1544386.
Comment 8•7 years ago
|
||
| Assignee | ||
Comment 9•7 years ago
|
||
Note: the tests in this bug do not repro on ESR60 (but ESR is definitely vulnerable). The test in bug 1544386 comment 0 repros and the patch fixes it.
Updated•7 years ago
|
Updated•7 years ago
|
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b46f3ba0c766
user: Jan de Mooij
date: Sat May 12 11:46:51 2018 +0200
summary: Bug 1460381 - Support sealed and non-extensible dense elements on native objects. r=anba
For reference, both decoder's and Jan's attached shell testcases bisect to this particular changeset, since it uses .seal, however, the underlying cause may be something else.
| Assignee | ||
Comment 11•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #10)
autobisectjs shows this is probably related to the following changeset:
It's only related in that we used to deoptimize all dense elements when sealing an object - so we'd never hit the buggy code before that change. That's just an 'implementation detail' of this particular exploit and not required to trigger the bug (see bug 1544386).
| Reporter | ||
Comment 12•7 years ago
|
||
Our CISO Philip is planning on tweeting a little more information about the attack we saw, including IOCs, and plans to disclose that there is a separate sandbox escape that exists right now. Please let me know if there are any concerns with this.
Comment 13•7 years ago
|
||
(In reply to Hayden Parker from comment #12)
Our CISO Philip is planning on tweeting a little more information about the attack we saw, including IOCs, and plans to disclose that there is a separate sandbox escape that exists right now. Please let me know if there are any concerns with this.
Bugzilla is probably not an ideal method for discussing this. Emailing security@mozilla.org would be better. I think we'd prefer to not publicly discuss the sandbox escape until we have finalized our patch for the issue and shipped the fix in a release. It will draw further attention to the issue by potential hackers if discussed before this.
Comment 14•7 years ago
•
|
||
Discussion moved to security@ email.
Comment 15•7 years ago
|
||
We have bugs filed for the two sub problems, but I think it makes sense to mark this sec-critical.
Comment 16•7 years ago
|
||
Fixed by bug 1544386 and bug 1559858.
Updated•7 years ago
|
| Reporter | ||
Comment 17•7 years ago
|
||
Hey team,
A couple questions.
So far we're only seeing this exploit code work on OSX. Can you confirm that the vulnerability does not impact windows users?
Second, in the getOffsets function of the exploit code I send over, I see a check for version 66 of Firefox. Was version 66 affected by this?
Thanks for all the help.
Comment 18•7 years ago
|
||
The actual exploit might only work on certain versions and OSes, but the two underlying flaws the exploit took advantage of look like they affected all versions at least back to 60, and probably further back, and all operating systems, so presumably some variant of the exploit could be made to work.
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•2 years ago
|
Description
•