453751 - XUL Garbage Collection Dangling Pointer Code Execution Vulnerability (ZDI-CAN-385)

Status: RESOLVED FIXED

(Core :: XUL, defect)

Description

[Daniel Veditz [:dveditz]]

Advisory received from ZDI:
---------------------------

ZDI-CAN-385: Mozilla Firefox XUL Garbage Collection Dangling Pointer Code Execution Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following 
products:

    Mozilla Firefox 3.0.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists in the browser's handling of a specific series
of XUL JavaScript operations which lead to a cycle in the garbage
collector. This cycle can result in an exploitable memory corruption
allowing attackers to execute arbitrary code under the context of the
current user.

The following example sequence will result in a call to an invalid
address which can be exploited via standard heap fill techniques:

  xulelem = document.getElementById('mainxul');
  tree=document.createElementNS(xulns,'tree');
  tabbox=document.createElementNS(xulns,'tabbox');
  xulelem.appendChild(tabbox);
  content=document.createElementNS(xulns,'content');
  content.appendChild(xulelem);
  menupopup=document.createElementNS(xulns,'menupopup');
  tmptmp = menupopup.cloneNode(false);
  clone = tmptmp;
  tree.appendChild(clone);

mainxul is a <xul> element. After a reload of the page, release will be
called on the tree object multiple times during garbage collection. Each
release will lead to a decrease of the reference counter of the already
freed object. If the reference counter is zero after a decrease, the
same memory region will be deleted again. Object deletion will cause
multiple method calls on the object.

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * Anonymous

Comment 1

[Neil Deakin]

When I run code like the above on the latest code and reload several times, I get no crashes, an equal number of nsXULElements created and destroyed, and no missing or extra calls specificially for trees.

It isn't clear from the description what 'the tree object' is or how its references were measured. The code above never inserts the tree into the DOM though, so I assume the nsXULElement is meant. (as no frames or xbl would get applied). However, I don't get any errors even if I do insert the tree either.

Comment 3

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Dan, can you reproduce with their testcase?

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

On Linux, I don't see any valgrind warnings on either trunk 64-bit debug or 3.0.10 release loading the payload.html/exploit.html cycle.

Comment 5

[Daniel Veditz [:dveditz]]

This is fixed in Firefox 3.0.7. I haven't nailed the specific fix range but it's between 2009/2/1 and 2009/2/14 -- I suspect bug 474456 also submitted by ZDI (as ZDI-CAN-423).

Comment 6

[Daniel Veditz [:dveditz]]

Yes, this was fixed between the 2009-02-04-05 nightly and the 2009-02-05-06 nightly. bug 474456 is really the only likely fix in that range.

http://bonsai.mozilla.org/cvsquery.cgi?module=AviaryBranchTinderbox&branch=HEAD&date=explicit&mindate=2009-02-04&maxdate=2009-02-05%2005:00&cvsroot=%2Fcvsroot