Last Comment Bug 538310 - (CVE-2010-0177) PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
: PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
: testcase, verified1.9.0.19, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
-- normal (vote)
: mozilla1.9.3a2
Assigned To: Olli Pettay [:smaug] (pto-ish for couple of days)
: Benjamin Smedberg [:bsmedberg]
Depends on:
  Show dependency treegraph
Reported: 2010-01-06 17:05 PST by Brandon Sterne (:bsterne)
Modified: 2010-07-15 13:59 PDT (History)
11 users (show)
dveditz: blocking1.9.0.19+
dveditz: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

simple fix (1.32 KB, patch)
2010-02-08 07:16 PST, Olli Pettay [:smaug] (pto-ish for couple of days)
jst: review+
jonas: superreview+
dveditz: approval1.9.2.2+
dveditz: approval1.9.1.9+
dveditz: approval1.9.0.19+
Details | Diff | Splinter Review

Description User image Brandon Sterne (:bsterne) 2010-01-06 17:05:47 PST
ZDI-CAN-655: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following  products:

    Mozilla Firefox 3.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that a user must be coerced to viewing a malicious document.

The specific flaw exists within the way the application implements the window.navigator.plugins array. Due to the application freeing the contents of the array while a reference to one of the elements is still being used, an attacker can utilize the free reference to call arbitrary code. Successful exploitation can lead to code execution under the context of the application.

The particular vulnerability occurs within the window.navigator.plugins array. This array is implemented within dom/src/base/nsPluginArray.cpp. Each element of this array contains a reference to the mime types installed by that particular plugin.

Upon page reload, the plugin array will reallocate all of it's members without explictly checking the used reference count of each member. If an attacker grabs a reference out of the array, and causes the page to reload itself, the attacker will then have a variable that references data that has been freed by the page refresh.

The mPlugin property contains the reference to the plugin that will get freed.



nsMimeType::GetEnabledPlugin(nsIDOMPlugin** aEnabledPlugin)


  nsAutoString type;


  PRBool disabled = PR_FALSE;

  if (type.Length() == 1 && type.First() == '*') {

    // Check if the default plugin is disabled.

    disabled =


  *aEnabledPlugin = disabled ? nsnull : mPlugin;        // XXX: mPlugin


  return NS_OK;


Only place that modifies mPlugin property.

nsMimeType::nsMimeType(nsIDOMPlugin* aPlugin, nsIDOMMimeType*


  mPlugin = aPlugin;       // XXX

  mMimeType = aMimeType;


For each plugin, allocate the mime type associated with it.





  nsresult rv = mPlugin->GetLength(&mMimeTypeCount);

  if (rv == NS_OK) {

    mMimeTypeArray = new nsIDOMMimeType*[mMimeTypeCount];

    if (mMimeTypeArray == nsnull)

      return NS_ERROR_OUT_OF_MEMORY;

    for (PRUint32 i = 0; i < mMimeTypeCount; i++) {

      nsCOMPtr<nsIDOMMimeType> mimeType;

      rv = mPlugin->Item(i, getter_AddRefs(mimeType));

      if (rv != NS_OK)


      mimeType = new nsMimeType(this, mimeType);    // XXX: /this/
contains our dangling reference

      NS_IF_ADDREF(mMimeTypeArray[i] = mimeType);



  return rv;


Reload the entire plugin array



nsPluginArray::Refresh(PRBool aReloadDocuments)


  nsresult res = NS_OK;

  if (!AllowPlugins())


Delete every element of an nsPluginArray


  if (mPluginArray != nsnull) {

    for (PRUint32 i = 0; i < mPluginCount; i++) 

      NS_IF_RELEASE(mPluginArray[i]);               // XXX

    delete[] mPluginArray;


Version(s)  tested: FireFox 3.5.6

Platform(s) tested: Windows XP SP3

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
Comment 1 User image Reed Loden [:reed] (use needinfo?) 2010-01-06 20:17:57 PST
Did TippingPoint provide a testcase?
Comment 2 User image Brandon Sterne (:bsterne) 2010-01-07 09:25:13 PST
No, they didn't.  I'll see if they have one.
Comment 4 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2010-02-08 07:16:33 PST
Created attachment 425799 [details] [diff] [review]
simple fix

This is the smallest fix I could think of.
On trunk we should convert all those raw arrays to nsCOMArray or
I also filed a followup bug 544875.
Comment 5 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2010-02-11 03:14:24 PST
Comment 6 User image Daniel Veditz [:dveditz] 2010-02-19 13:15:14 PST
Comment on attachment 425799 [details] [diff] [review]
simple fix

Approved for, and, a=dveditz for release-drivers
Comment 7 User image Mike Beltzner [:beltzner, not reading bugmail] 2010-03-03 13:41:22 PST
Are we waiting on anything for landing these?
Comment 8 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2010-03-03 13:45:00 PST
Nope. I'll land this tomorrow.
Comment 9 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2010-03-04 12:24:35 PST
Comment 10 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2010-03-04 12:52:51 PST
Comment 11 User image Al Billings [:abillings] 2010-03-11 14:15:44 PST
Verified for 1.9.0 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2010031106 GranParadiso/3.0.19pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729).

Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20100311 Namoroka/3.6.2pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.