The default bug view has changed. See this FAQ.

TreeColumns Dangling Pointer Vulnerability (ZDI-CAN-536)

VERIFIED FIXED in mozilla1.9.2b1

Status

()

Core
XP Toolkit/Widgets: XUL
P2
normal
VERIFIED FIXED
8 years ago
7 years ago

People

(Reporter: dveditz, Assigned: dbaron)

Tracking

(6 keywords)

Trunk
mozilla1.9.2b1
fixed1.8.1.24, regression, testcase, verified1.9.0.14, verified1.9.1, verified1.9.2
Points:
---
Bug Flags:
blocking1.9.2 +
blocking1.9.0.14 +
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 beta1-fixed, blocking1.9.1 .3+, status1.9.1 .3-fixed)

Details

(Whiteboard: [sg:critical])

Attachments

(2 attachments)

613 bytes, application/vnd.mozilla.xul+xml
Details
2.66 KB, patch
roc
: review+
Samuel Sidler (old account; do not CC)
: approval1.9.1.3+
Samuel Sidler (old account; do not CC)
: approval1.9.0.14+
Details | Diff | Splinter Review
(Reporter)

Description

8 years ago
ZDI-CAN-536: Mozilla Firefox TreeColumns Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following 
products:

    Mozilla Firefox 3.0.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists during the redrawing of tree columns contained
within a XUL document. Due to the reuse of a previously freed object,
attacker controlled memory can be executed. Successful exploitation of
this vulnerability can lead to remote compromise of the affected system
under the credentials of the currently logged in user.

When accessing the column information and then redrawing the screen, a
pointer is freed by the garbage collector, which is later accessed
allowing user controllable memory to be executed by a dangling pointer.

The following XUL document demonstrates the tree while the Javascript
accompanying it results in an exploitable condition.

<tree id="tr">
   <treecols>
     <treecol flex="1"/>
   </treecols>
   <treechildren>
   </treechildren>
</tree>

o5 = document.getElementById('tr');
o62 = o5.columns.getFirstColumn();
o5.style.MozBinding = 'url("binding.xml#bind351")';
window.QueryInterface(Components.interfaces.nsIInterfaceRequestor).getInterface(Components.interfaces.nsIDOMWindowUtils).redraw();
o62.columns;
o62.columns;

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * Anonymous
Flags: wanted1.9.0.x?
Report only mentions 3.0.x. Does this not affect 3.5.x, or did they only confirm it on 3.0.x?
Whiteboard: [sg:critical]
blocking1.9.1: ? → ---
status1.9.1: --- → ?
(Assignee)

Comment 2

8 years ago
Created attachment 392159 [details]
XUL file as described

Doesn't crash my 3.0.10.  Are particular contents of the binding.xml file needed?
(In reply to comment #2)
> Doesn't crash my 3.0.10.  Are particular contents of the binding.xml file
> needed?

dveditz followed-up with TippingPoint on that, but they have yet to respond, afaict.
Keywords: testcase
(Assignee)

Comment 7

8 years ago
Annoyingly enough, it doesn't seem to crash under valgrind, though it crashes instantly without valgrind.

Looks like it involves JS having a pointer to an nsTreeColumn whose mColumns pointer is dangling (pointing to freed memory).

It makes sense that the nsTreeColumns is gone; we've reframed the tree when we set the binding.  But the nsTreeColumns destructor should have nulled out the columns pointer back to it.  Presumably it got detached from the nsTreeColumns some other way.
(Assignee)

Comment 8

8 years ago
Created attachment 393090 [details] [diff] [review]
patch

Well, I looked at the code, and looked for places that might have left dangling pointers, and found two, and fixed them, and then it stopped crashing.

Plus a new assertion for bonus points.
Attachment #393090 - Flags: review?(roc)
(Assignee)

Updated

8 years ago
Assignee: nobody → dbaron
blocking1.9.1: --- → ?
Component: Security → XP Toolkit/Widgets: XUL
Flags: blocking1.9.2?
Flags: blocking1.9.0.14?
Priority: -- → P2
QA Contact: toolkit → xptoolkit.xul
Target Milestone: --- → mozilla1.9.2b1
(Assignee)

Updated

8 years ago
Flags: in-testsuite?
Attachment #393090 - Flags: review?(roc) → review+
(Assignee)

Comment 9

8 years ago
So, for what it's worth, this seems like the sort of patch that people reading patches being landed would have a pretty good chance of figuring out how to exploit.  Any thoughts on when I should or shouldn't land it, or other ways to disguise it?
(Reporter)

Comment 10

8 years ago
People are apparently already looking at this area, so let's land ASAP
blocking1.9.1: ? → .3+
status1.9.1: ? → wanted
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.14?
Flags: blocking1.9.0.14+
(Assignee)

Comment 11

8 years ago
Fixed on mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/ec77f4fe64a5
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Attachment #393090 - Flags: approval1.9.1.3?
Attachment #393090 - Flags: approval1.9.0.14?
(Assignee)

Comment 12

8 years ago
For the record, it looks like this is a regression from bug 291531.
Blocks: 291531
(Assignee)

Comment 13

8 years ago
... well, actually, not really, since the same problem existed in a different place before that.
No longer blocks: 291531
(Assignee)

Updated

8 years ago
Attachment #393090 - Flags: approval1.8.1.next?
Attachment #393090 - Flags: approval1.8.0.next?
Comment on attachment 393090 [details] [diff] [review]
patch

Approved for 1.9.1.3 and 1.9.0.14. a=ss for release-drivers
Attachment #393090 - Flags: approval1.9.1.3?
Attachment #393090 - Flags: approval1.9.1.3+
Attachment #393090 - Flags: approval1.9.0.14?
Attachment #393090 - Flags: approval1.9.0.14+
(Assignee)

Comment 15

8 years ago
Fixed on mozilla-1.9.1:
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/57be70578fac
status1.9.1: wanted → .3-fixed
(Assignee)

Comment 16

8 years ago
Fix checked in to CVS trunk (for 1.9.0.14), 2009-08-08 20:20:10 -0700.
Keywords: fixed1.9.0.14
Verified fixed in 1.9.0.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14pre) Gecko/2009081305 GranParadiso/3.0.14pre (.NET CLR 3.5.30729). Testcase no longer crashes as it does when tested with 1.9.0.13 build.
Keywords: fixed1.9.0.14 → verified1.9.0.14
Verified fixed for 1.9.1.3 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3pre) Gecko/20090817 Shiretoko/3.5.3pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1
(Reporter)

Updated

8 years ago
Blocks: 291531
Keywords: regression
(Reporter)

Updated

8 years ago
Group: core-security
(Assignee)

Comment 19

8 years ago
(In reply to comment #13)
> ... well, actually, not really, since the same problem existed in a different
> place before that.

... probably introduced when the code was first written in bug 221619, but even then it could have been moved from elsewhere (though it doesn't look like it).
Blocks: 221619
No longer blocks: 291531
(Assignee)

Updated

8 years ago
Flags: blocking1.9.2? → blocking1.9.2+
(Assignee)

Comment 20

8 years ago
This landed on mozilla-central before 1.9.2 branched, but wasn't a blocker at the time we did the mass-marking, so marking status1.9.2:beta1-fixed .
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/ec77f4fe64a5
status1.9.2: --- → beta1-fixed
verified with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b1pre) Gecko/20090925 Namoroka/3.6b1pre
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
(Reporter)

Comment 22

7 years ago
Comment on attachment 393090 [details] [diff] [review]
patch

Approved for 1.8.1.24, a=dveditz for release-drivers
Attachment #393090 - Flags: approval1.8.1.next? → approval1.8.1.next+

Comment 23

7 years ago
Need to make sure this doesn't break TB 2 before landing on 1.8.1.24
(In reply to comment #23)
> Need to make sure this doesn't break TB 2 before landing on 1.8.1.24

I built TB 2 and played around with various tree elements and couldn't see any issues...

(In reply to comment #22)
> (From update of attachment 393090 [details] [diff] [review])
> Approved for 1.8.1.24, a=dveditz for release-drivers

Checking in layout/xul/base/src/tree/src/nsTreeColumns.cpp;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeColumns.cpp,v  <--  nsTreeColumns.cpp
new revision: 1.7.30.4; previous revision: 1.7.30.3
done
Checking in layout/xul/base/src/tree/src/nsTreeColumns.h;
/cvsroot/mozilla/layout/xul/base/src/tree/src/nsTreeColumns.h,v  <--  nsTreeColumns.h
new revision: 1.3.30.2; previous revision: 1.3.30.1
done
Keywords: fixed1.8.1.24
You need to log in before you can comment on or make changes to this bug.