Closed Bug 538310 (CVE-2010-0177) Opened 15 years ago Closed 15 years ago

PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking1.9.2 .2+, status1.9.2 .2-fixed, blocking1.9.1 .9+, status1.9.1 .9-fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a2
Tracking Flags:
Tracking Status
blocking1.9.2 --- .2+
status1.9.2 --- .2-fixed
blocking1.9.1 --- .9+
status1.9.1 --- .9-fixed

People

(Reporter: bsterne, Assigned: smaug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(1 file)

simple fix
1.32 KB, patch
jst
: review+
sicking
: superreview+
dveditz
: approval1.9.2.2+
dveditz
: approval1.9.1.9+
dveditz
: approval1.9.0.19+
Details | Diff | Splinter Review
ZDI-CAN-655: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Vulnerability -- ABSTRACT ------------------------------------------------------------ TippingPoint has identified a vulnerability affecting the following products: Mozilla Firefox 3.5.x -- VULNERABILITY DETAILS ----------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that a user must be coerced to viewing a malicious document. The specific flaw exists within the way the application implements the window.navigator.plugins array. Due to the application freeing the contents of the array while a reference to one of the elements is still being used, an attacker can utilize the free reference to call arbitrary code. Successful exploitation can lead to code execution under the context of the application. The particular vulnerability occurs within the window.navigator.plugins array. This array is implemented within dom/src/base/nsPluginArray.cpp. Each element of this array contains a reference to the mime types installed by that particular plugin. Upon page reload, the plugin array will reallocate all of it's members without explictly checking the used reference count of each member. If an attacker grabs a reference out of the array, and causes the page to reload itself, the attacker will then have a variable that references data that has been freed by the page refresh. The mPlugin property contains the reference to the plugin that will get freed. dom/src/base/nsMimeTypeArray.cpp:304 NS_IMETHODIMP nsMimeType::GetEnabledPlugin(nsIDOMPlugin** aEnabledPlugin) { nsAutoString type; GetType(type); PRBool disabled = PR_FALSE; if (type.Length() == 1 && type.First() == '*') { // Check if the default plugin is disabled. disabled = nsContentUtils::GetBoolPref("plugin.default_plugin_disabled"); } *aEnabledPlugin = disabled ? nsnull : mPlugin; // XXX: mPlugin NS_IF_ADDREF(*aEnabledPlugin); return NS_OK; } Only place that modifies mPlugin property. nsMimeType::nsMimeType(nsIDOMPlugin* aPlugin, nsIDOMMimeType* aMimeType) { mPlugin = aPlugin; // XXX mMimeType = aMimeType; } For each plugin, allocate the mime type associated with it. dom/src/base/nsPluginArray.cpp:405 nsresult nsPluginElement::GetMimeTypes() { nsresult rv = mPlugin->GetLength(&mMimeTypeCount); if (rv == NS_OK) { mMimeTypeArray = new nsIDOMMimeType*[mMimeTypeCount]; if (mMimeTypeArray == nsnull) return NS_ERROR_OUT_OF_MEMORY; for (PRUint32 i = 0; i < mMimeTypeCount; i++) { nsCOMPtr<nsIDOMMimeType> mimeType; rv = mPlugin->Item(i, getter_AddRefs(mimeType)); if (rv != NS_OK) break; mimeType = new nsMimeType(this, mimeType); // XXX: /this/ contains our dangling reference NS_IF_ADDREF(mMimeTypeArray[i] = mimeType); } } return rv; } Reload the entire plugin array dom/src/base/nsPluginArray.cpp:199 NS_IMETHODIMP nsPluginArray::Refresh(PRBool aReloadDocuments) { nsresult res = NS_OK; if (!AllowPlugins()) return NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA; Delete every element of an nsPluginArray dom/src/base/nsPluginArray.cpp:236 if (mPluginArray != nsnull) { for (PRUint32 i = 0; i < mPluginCount; i++) NS_IF_RELEASE(mPluginArray[i]); // XXX delete[] mPluginArray; } Version(s) tested: FireFox 3.5.6 Platform(s) tested: Windows XP SP3 -- CREDIT -------------------------------------------------------------- This vulnerability was discovered by: * regenrecht
Alias: ZDI-CAN-655
Whiteboard: [sg:critical?]
Did TippingPoint provide a testcase?
No, they didn't. I'll see if they have one.
Alias: ZDI-CAN-655
Keywords: testcase
Summary: PluginArray nsMimeType Dangling Pointer Vulnerability → PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
Assignee: nobody → Olli.Pettay
Attached patch simple fixSplinter Review
This is the smallest fix I could think of. On trunk we should convert all those raw arrays to nsCOMArray or nsTArray. I also filed a followup bug 544875.
Attachment #425799 - Flags: superreview?(jonas)
Attachment #425799 - Flags: review?(jst)
Attachment #425799 - Flags: superreview?(jonas) → superreview+
Attachment #425799 - Flags: review?(jst) → review+
Status: NEW → ASSIGNED
http://hg.mozilla.org/mozilla-central/rev/0068be501633
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.0.19?
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19?
blocking1.9.1: ? → .9+
blocking1.9.2: ? → .2+
Flags: blocking1.9.0.19? → blocking1.9.0.19+
Comment on attachment 425799 [details] [diff] [review] simple fix Approved for 1.9.2.2, 1.9.1.9 and 1.9.0.19, a=dveditz for release-drivers
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.2.2+
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.1.9+
Attachment #425799 - Flags: approval1.9.0.19?
Attachment #425799 - Flags: approval1.9.0.19+
Are we waiting on anything for landing these?
Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2]
Nope. I'll land this tomorrow.
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2]
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/12ca3582430b
status1.9.1: wanted.9-fixed
Whiteboard: [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.2.2]
Verified for 1.9.0 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19pre) Gecko/2010031106 GranParadiso/3.0.19pre (.NET CLR 3.5.30729). Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729). Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2pre) Gecko/20100311 Namoroka/3.6.2pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.19verified1.9.0.19, verified1.9.1, verified1.9.2
Whiteboard: [sg:critical?][needs landing 1.9.2.2] → [sg:critical?]
Target Milestone: --- → mozilla1.9.3a2
Alias: CVE-2010-0177
Group: core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: