Closed Bug 506871 Opened 15 years ago Closed 15 years ago

TreeColumns Dangling Pointer Vulnerability (ZDI-CAN-536)

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2b1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .3+
status1.9.1 --- .3-fixed

People

(Reporter: dveditz, Assigned: dbaron)

References

Details

(6 keywords, Whiteboard: [sg:critical])

Attachments

(2 files)

XUL file as described
613 bytes, application/vnd.mozilla.xul+xml
Details
patch
2.66 KB, patch
roc
: review+
samuel.sidler+old
: approval1.9.1.3+
samuel.sidler+old
: approval1.9.0.14+
dveditz
: approval1.8.1.next+
dbaron
: approval1.8.0.next?
Details | Diff | Splinter Review 
ZDI-CAN-536: Mozilla Firefox TreeColumns Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following 
products:

    Mozilla Firefox 3.0.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists during the redrawing of tree columns contained
within a XUL document. Due to the reuse of a previously freed object,
attacker controlled memory can be executed. Successful exploitation of
this vulnerability can lead to remote compromise of the affected system
under the credentials of the currently logged in user.

When accessing the column information and then redrawing the screen, a
pointer is freed by the garbage collector, which is later accessed
allowing user controllable memory to be executed by a dangling pointer.

The following XUL document demonstrates the tree while the Javascript
accompanying it results in an exploitable condition.

<tree id="tr">
   <treecols>
     <treecol flex="1"/>
   </treecols>
   <treechildren>
   </treechildren>
</tree>

o5 = document.getElementById('tr');
o62 = o5.columns.getFirstColumn();
o5.style.MozBinding = 'url("binding.xml#bind351")';
window.QueryInterface(Components.interfaces.nsIInterfaceRequestor).getInterface(Components.interfaces.nsIDOMWindowUtils).redraw();
o62.columns;
o62.columns;

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * Anonymous
Flags: wanted1.9.0.x?
Report only mentions 3.0.x. Does this not affect 3.5.x, or did they only confirm it on 3.0.x?
Whiteboard: [sg:critical]
blocking1.9.1: ? → ---
status1.9.1: --- → ?
Attached file XUL file as described 
Doesn't crash my 3.0.10.  Are particular contents of the binding.xml file needed?
(In reply to comment #2)
> Doesn't crash my 3.0.10.  Are particular contents of the binding.xml file
> needed?

dveditz followed-up with TippingPoint on that, but they have yet to respond, afaict.
Keywords: testcase
Annoyingly enough, it doesn't seem to crash under valgrind, though it crashes instantly without valgrind.

Looks like it involves JS having a pointer to an nsTreeColumn whose mColumns pointer is dangling (pointing to freed memory).

It makes sense that the nsTreeColumns is gone; we've reframed the tree when we set the binding.  But the nsTreeColumns destructor should have nulled out the columns pointer back to it.  Presumably it got detached from the nsTreeColumns some other way.
Attached patch patchSplinter Review 
Well, I looked at the code, and looked for places that might have left dangling pointers, and found two, and fixed them, and then it stopped crashing.

Plus a new assertion for bonus points.
Attachment #393090 - Flags: review?(roc)
Assignee: nobody → dbaron
blocking1.9.1: --- → ?
Component: Security → XP Toolkit/Widgets: XUL
Flags: blocking1.9.2?
Flags: blocking1.9.0.14?
Priority: -- → P2
QA Contact: toolkit → xptoolkit.xul
Target Milestone: --- → mozilla1.9.2b1
Flags: in-testsuite?
So, for what it's worth, this seems like the sort of patch that people reading patches being landed would have a pretty good chance of figuring out how to exploit.  Any thoughts on when I should or shouldn't land it, or other ways to disguise it?
People are apparently already looking at this area, so let's land ASAP
blocking1.9.1: ? → .3+
status1.9.1: ?wanted
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.14?
Flags: blocking1.9.0.14+
Fixed on mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/ec77f4fe64a5
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Attachment #393090 - Flags: approval1.9.1.3?
Attachment #393090 - Flags: approval1.9.0.14?
For the record, it looks like this is a regression from bug 291531.
Blocks: 291531
... well, actually, not really, since the same problem existed in a different place before that.
No longer blocks: 291531
Attachment #393090 - Flags: approval1.8.1.next?
Attachment #393090 - Flags: approval1.8.0.next?
Comment on attachment 393090 [details] [diff] [review]
patch

Approved for 1.9.1.3 and 1.9.0.14. a=ss for release-drivers
Attachment #393090 - Flags: approval1.9.1.3?
Attachment #393090 - Flags: approval1.9.1.3+
Attachment #393090 - Flags: approval1.9.0.14?
Attachment #393090 - Flags: approval1.9.0.14+
Fix checked in to CVS trunk (for 1.9.0.14), 2009-08-08 20:20:10 -0700.
Keywords: fixed1.9.0.14
Verified fixed in 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). Testcase no longer crashes as it does when tested with 1.9.0.13 build.
Keywords: fixed1.9.0.14verified1.9.0.14
Verified fixed for 1.9.1.3 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1
Blocks: 291531
Keywords: regression
Group: core-security
(In reply to comment #13)
> ... well, actually, not really, since the same problem existed in a different
> place before that.

... probably introduced when the code was first written in bug 221619, but even then it could have been moved from elsewhere (though it doesn't look like it).
Blocks: 221619
No longer blocks: 291531
Flags: blocking1.9.2? → blocking1.9.2+
This landed on mozilla-central before 1.9.2 branched, but wasn't a blocker at the time we did the mass-marking, so marking status1.9.2:beta1-fixed .
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ec77f4fe64a5
status1.9.2: --- → beta1-fixed
verified with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b1pre) Gecko/20090925 Namoroka/3.6b1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Comment on attachment 393090 [details] [diff] [review]
patch

Approved for 1.8.1.24, a=dveditz for release-drivers
Attachment #393090 - Flags: approval1.8.1.next? → approval1.8.1.next+
Need to make sure this doesn't break TB 2 before landing on 1.8.1.24
(In reply to comment #23)
> Need to make sure this doesn't break TB 2 before landing on 1.8.1.24

I built TB 2 and played around with various tree elements and couldn't see any issues...

(In reply to comment #22)
> (From update of attachment 393090 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers

Checking in layout/xul/base/src/tree/src/nsTreeColumns.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeColumns.cpp,v  <--  nsTreeColumns.cpp
new revision: 1.7.30.4; previous revision: 1.7.30.3
done
Checking in layout/xul/base/src/tree/src/nsTreeColumns.h;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeColumns.h,v  <--  nsTreeColumns.h
new revision: 1.3.30.2; previous revision: 1.3.30.1
done
Keywords: fixed1.8.1.24
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: