Bug 538310 (CVE-2010-0177)

PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)

RESOLVED FIXED in mozilla1.9.3a2

Status

()

Core
Plug-ins
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: bsterne, Assigned: smaug)

Tracking

(4 keywords)

Trunk
mozilla1.9.3a2
testcase, verified1.9.0.19, verified1.9.1, verified1.9.2
Points:
---
Bug Flags:
blocking1.9.0.19 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.2 .2+, status1.9.2 .2-fixed, blocking1.9.1 .9+, status1.9.1 .9-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
ZDI-CAN-655: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following  products:

    Mozilla Firefox 3.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that a user must be coerced to viewing a malicious document.



The specific flaw exists within the way the application implements the window.navigator.plugins array. Due to the application freeing the contents of the array while a reference to one of the elements is still being used, an attacker can utilize the free reference to call arbitrary code. Successful exploitation can lead to code execution under the context of the application.

The particular vulnerability occurs within the window.navigator.plugins array. This array is implemented within dom/src/base/nsPluginArray.cpp. Each element of this array contains a reference to the mime types installed by that particular plugin.



Upon page reload, the plugin array will reallocate all of it's members without explictly checking the used reference count of each member. If an attacker grabs a reference out of the array, and causes the page to reload itself, the attacker will then have a variable that references data that has been freed by the page refresh.



The mPlugin property contains the reference to the plugin that will get freed.



dom/src/base/nsMimeTypeArray.cpp:304

NS_IMETHODIMP

nsMimeType::GetEnabledPlugin(nsIDOMPlugin** aEnabledPlugin)

{

  nsAutoString type;

  GetType(type);



  PRBool disabled = PR_FALSE;



  if (type.Length() == 1 && type.First() == '*') {

    // Check if the default plugin is disabled.

    disabled =
nsContentUtils::GetBoolPref("plugin.default_plugin_disabled");

  }



  *aEnabledPlugin = disabled ? nsnull : mPlugin;        // XXX: mPlugin



  NS_IF_ADDREF(*aEnabledPlugin);



  return NS_OK;

}



Only place that modifies mPlugin property.

nsMimeType::nsMimeType(nsIDOMPlugin* aPlugin, nsIDOMMimeType*
aMimeType)

{

  mPlugin = aPlugin;       // XXX

  mMimeType = aMimeType;

}



For each plugin, allocate the mime type associated with it.

dom/src/base/nsPluginArray.cpp:405

nsresult

nsPluginElement::GetMimeTypes()

{

  nsresult rv = mPlugin->GetLength(&mMimeTypeCount);

  if (rv == NS_OK) {

    mMimeTypeArray = new nsIDOMMimeType*[mMimeTypeCount];

    if (mMimeTypeArray == nsnull)

      return NS_ERROR_OUT_OF_MEMORY;

    for (PRUint32 i = 0; i < mMimeTypeCount; i++) {

      nsCOMPtr<nsIDOMMimeType> mimeType;

      rv = mPlugin->Item(i, getter_AddRefs(mimeType));

      if (rv != NS_OK)

        break;

      mimeType = new nsMimeType(this, mimeType);    // XXX: /this/
contains our dangling reference

      NS_IF_ADDREF(mMimeTypeArray[i] = mimeType);

    }

  }

  return rv;

}



Reload the entire plugin array

dom/src/base/nsPluginArray.cpp:199

NS_IMETHODIMP

nsPluginArray::Refresh(PRBool aReloadDocuments)

{

  nsresult res = NS_OK;

  if (!AllowPlugins())

    return NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA;



Delete every element of an nsPluginArray

dom/src/base/nsPluginArray.cpp:236

  if (mPluginArray != nsnull) {

    for (PRUint32 i = 0; i < mPluginCount; i++) 

      NS_IF_RELEASE(mPluginArray[i]);               // XXX



    delete[] mPluginArray;

  }





Version(s)  tested: FireFox 3.5.6

Platform(s) tested: Windows XP SP3



-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
(Reporter)

Updated

7 years ago
Alias: ZDI-CAN-655
Whiteboard: [sg:critical?]
Did TippingPoint provide a testcase?
(Reporter)

Comment 2

7 years ago
No, they didn't.  I'll see if they have one.
Alias: ZDI-CAN-655
Keywords: testcase
Summary: PluginArray nsMimeType Dangling Pointer Vulnerability → PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
(Assignee)

Updated

7 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 4

7 years ago
Created attachment 425799 [details] [diff] [review]
simple fix

This is the smallest fix I could think of.
On trunk we should convert all those raw arrays to nsCOMArray or
nsTArray.
I also filed a followup bug 544875.
Attachment #425799 - Flags: superreview?(jonas)
Attachment #425799 - Flags: review?(jst)
Attachment #425799 - Flags: superreview?(jonas) → superreview+

Updated

7 years ago
Attachment #425799 - Flags: review?(jst) → review+
(Assignee)

Updated

7 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 5

7 years ago
http://hg.mozilla.org/mozilla-central/rev/0068be501633
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Assignee)

Updated

7 years ago
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.0.19?
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19?
blocking1.9.1: ? → .9+
blocking1.9.2: ? → .2+
Flags: blocking1.9.0.19? → blocking1.9.0.19+
Comment on attachment 425799 [details] [diff] [review]
simple fix

Approved for 1.9.2.2, 1.9.1.9 and 1.9.0.19, a=dveditz for release-drivers
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.2.2+
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.1.9+
Attachment #425799 - Flags: approval1.9.0.19?
Attachment #425799 - Flags: approval1.9.0.19+
Are we waiting on anything for landing these?
Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2]
(Assignee)

Comment 8

7 years ago
Nope. I'll land this tomorrow.
(Assignee)

Updated

7 years ago
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2]
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/12ca3582430b
status1.9.1: wanted → .9-fixed
Whiteboard: [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.2.2]
(Assignee)

Comment 10

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/591039ba50fa
status1.9.2: wanted → .2-fixed
Verified for 1.9.0 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19pre) Gecko/2010031106 GranParadiso/3.0.19pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729).

Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2pre) Gecko/20100311 Namoroka/3.6.2pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.19 → verified1.9.0.19, verified1.9.1, verified1.9.2
Whiteboard: [sg:critical?][needs landing 1.9.2.2] → [sg:critical?]
Target Milestone: --- → mozilla1.9.3a2
Alias: CVE-2010-0177
Group: core-security
You need to log in before you can comment on or make changes to this bug.