Bug 538310 (CVE-2010-0177)

PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)

RESOLVED FIXED in mozilla1.9.3a2

Status

()

defect
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: bsterne, Assigned: smaug)

Tracking

(4 keywords)

Trunk
mozilla1.9.3a2
Points:
---
Bug Flags:
blocking1.9.0.19 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.2 .2+, status1.9.2 .2-fixed, blocking1.9.1 .9+, status1.9.1 .9-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(1 attachment)

Reporter

Description

10 years ago
ZDI-CAN-655: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following  products:

    Mozilla Firefox 3.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that a user must be coerced to viewing a malicious document.



The specific flaw exists within the way the application implements the window.navigator.plugins array. Due to the application freeing the contents of the array while a reference to one of the elements is still being used, an attacker can utilize the free reference to call arbitrary code. Successful exploitation can lead to code execution under the context of the application.

The particular vulnerability occurs within the window.navigator.plugins array. This array is implemented within dom/src/base/nsPluginArray.cpp. Each element of this array contains a reference to the mime types installed by that particular plugin.



Upon page reload, the plugin array will reallocate all of it's members without explictly checking the used reference count of each member. If an attacker grabs a reference out of the array, and causes the page to reload itself, the attacker will then have a variable that references data that has been freed by the page refresh.



The mPlugin property contains the reference to the plugin that will get freed.



dom/src/base/nsMimeTypeArray.cpp:304

NS_IMETHODIMP

nsMimeType::GetEnabledPlugin(nsIDOMPlugin** aEnabledPlugin)

{

  nsAutoString type;

  GetType(type);



  PRBool disabled = PR_FALSE;



  if (type.Length() == 1 && type.First() == '*') {

    // Check if the default plugin is disabled.

    disabled =
nsContentUtils::GetBoolPref("plugin.default_plugin_disabled");

  }



  *aEnabledPlugin = disabled ? nsnull : mPlugin;        // XXX: mPlugin



  NS_IF_ADDREF(*aEnabledPlugin);



  return NS_OK;

}



Only place that modifies mPlugin property.

nsMimeType::nsMimeType(nsIDOMPlugin* aPlugin, nsIDOMMimeType*
aMimeType)

{

  mPlugin = aPlugin;       // XXX

  mMimeType = aMimeType;

}



For each plugin, allocate the mime type associated with it.

dom/src/base/nsPluginArray.cpp:405

nsresult

nsPluginElement::GetMimeTypes()

{

  nsresult rv = mPlugin->GetLength(&mMimeTypeCount);

  if (rv == NS_OK) {

    mMimeTypeArray = new nsIDOMMimeType*[mMimeTypeCount];

    if (mMimeTypeArray == nsnull)

      return NS_ERROR_OUT_OF_MEMORY;

    for (PRUint32 i = 0; i < mMimeTypeCount; i++) {

      nsCOMPtr<nsIDOMMimeType> mimeType;

      rv = mPlugin->Item(i, getter_AddRefs(mimeType));

      if (rv != NS_OK)

        break;

      mimeType = new nsMimeType(this, mimeType);    // XXX: /this/
contains our dangling reference

      NS_IF_ADDREF(mMimeTypeArray[i] = mimeType);

    }

  }

  return rv;

}



Reload the entire plugin array

dom/src/base/nsPluginArray.cpp:199

NS_IMETHODIMP

nsPluginArray::Refresh(PRBool aReloadDocuments)

{

  nsresult res = NS_OK;

  if (!AllowPlugins())

    return NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA;



Delete every element of an nsPluginArray

dom/src/base/nsPluginArray.cpp:236

  if (mPluginArray != nsnull) {

    for (PRUint32 i = 0; i < mPluginCount; i++) 

      NS_IF_RELEASE(mPluginArray[i]);               // XXX



    delete[] mPluginArray;

  }





Version(s)  tested: FireFox 3.5.6

Platform(s) tested: Windows XP SP3



-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
Reporter

Updated

10 years ago
Alias: ZDI-CAN-655
Whiteboard: [sg:critical?]
Did TippingPoint provide a testcase?
Reporter

Comment 2

10 years ago
No, they didn't.  I'll see if they have one.
Alias: ZDI-CAN-655
Keywords: testcase
Summary: PluginArray nsMimeType Dangling Pointer Vulnerability → PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
Assignee

Updated

9 years ago
Assignee: nobody → Olli.Pettay
Assignee

Comment 4

9 years ago
Posted patch simple fixSplinter Review
This is the smallest fix I could think of.
On trunk we should convert all those raw arrays to nsCOMArray or
nsTArray.
I also filed a followup bug 544875.
Attachment #425799 - Flags: superreview?(jonas)
Attachment #425799 - Flags: review?(jst)
Attachment #425799 - Flags: superreview?(jonas) → superreview+
Attachment #425799 - Flags: review?(jst) → review+
Assignee

Updated

9 years ago
Status: NEW → ASSIGNED
Assignee

Comment 5

9 years ago
http://hg.mozilla.org/mozilla-central/rev/0068be501633
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Assignee

Updated

9 years ago
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.0.19?
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.19?
blocking1.9.1: ? → .9+
blocking1.9.2: ? → .2+
Flags: blocking1.9.0.19? → blocking1.9.0.19+
Comment on attachment 425799 [details] [diff] [review]
simple fix

Approved for 1.9.2.2, 1.9.1.9 and 1.9.0.19, a=dveditz for release-drivers
Attachment #425799 - Flags: approval1.9.2.2?
Attachment #425799 - Flags: approval1.9.2.2+
Attachment #425799 - Flags: approval1.9.1.9?
Attachment #425799 - Flags: approval1.9.1.9+
Attachment #425799 - Flags: approval1.9.0.19?
Attachment #425799 - Flags: approval1.9.0.19+
Are we waiting on anything for landing these?
Whiteboard: [sg:critical?] → [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2]
Assignee

Comment 8

9 years ago
Nope. I'll land this tomorrow.
Assignee

Updated

9 years ago
Keywords: fixed1.9.0.19
Whiteboard: [sg:critical?][needs landing 1.9.0.19][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2]
Assignee

Comment 9

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/12ca3582430b
Whiteboard: [sg:critical?][needs landing 1.9.1.9][needs landing 1.9.2.2] → [sg:critical?][needs landing 1.9.2.2]
Verified for 1.9.0 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19pre) Gecko/2010031106 GranParadiso/3.0.19pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729).

Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2pre) Gecko/20100311 Namoroka/3.6.2pre (.NET CLR 3.5.30729).
Whiteboard: [sg:critical?][needs landing 1.9.2.2] → [sg:critical?]
Target Milestone: --- → mozilla1.9.3a2
Alias: CVE-2010-0177
Group: core-security
You need to log in before you can comment on or make changes to this bug.