Last Comment Bug 538310 - (CVE-2010-0177) PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
(CVE-2010-0177)
: PluginArray nsMimeType Dangling Pointer Vulnerability (ZDI-CAN-655)
Status: RESOLVED FIXED
[sg:critical?]
: testcase, verified1.9.0.19, verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla1.9.3a2
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-06 17:05 PST by Brandon Sterne (:bsterne)
Modified: 2010-07-15 13:59 PDT (History)
11 users (show)
dveditz: blocking1.9.0.19+
dveditz: wanted1.9.0.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2+
.2-fixed
.9+
.9-fixed


Attachments
simple fix (1.32 KB, patch)
2010-02-08 07:16 PST, Olli Pettay [:smaug]
jst: review+
jonas: superreview+
dveditz: approval1.9.2.2+
dveditz: approval1.9.1.9+
dveditz: approval1.9.0.19+
Details | Diff | Review

Description Brandon Sterne (:bsterne) 2010-01-06 17:05:47 PST
ZDI-CAN-655: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following  products:

    Mozilla Firefox 3.5.x

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that a user must be coerced to viewing a malicious document.



The specific flaw exists within the way the application implements the window.navigator.plugins array. Due to the application freeing the contents of the array while a reference to one of the elements is still being used, an attacker can utilize the free reference to call arbitrary code. Successful exploitation can lead to code execution under the context of the application.

The particular vulnerability occurs within the window.navigator.plugins array. This array is implemented within dom/src/base/nsPluginArray.cpp. Each element of this array contains a reference to the mime types installed by that particular plugin.



Upon page reload, the plugin array will reallocate all of it's members without explictly checking the used reference count of each member. If an attacker grabs a reference out of the array, and causes the page to reload itself, the attacker will then have a variable that references data that has been freed by the page refresh.



The mPlugin property contains the reference to the plugin that will get freed.



dom/src/base/nsMimeTypeArray.cpp:304

NS_IMETHODIMP

nsMimeType::GetEnabledPlugin(nsIDOMPlugin** aEnabledPlugin)

{

  nsAutoString type;

  GetType(type);



  PRBool disabled = PR_FALSE;



  if (type.Length() == 1 && type.First() == '*') {

    // Check if the default plugin is disabled.

    disabled =
nsContentUtils::GetBoolPref("plugin.default_plugin_disabled");

  }



  *aEnabledPlugin = disabled ? nsnull : mPlugin;        // XXX: mPlugin



  NS_IF_ADDREF(*aEnabledPlugin);



  return NS_OK;

}



Only place that modifies mPlugin property.

nsMimeType::nsMimeType(nsIDOMPlugin* aPlugin, nsIDOMMimeType*
aMimeType)

{

  mPlugin = aPlugin;       // XXX

  mMimeType = aMimeType;

}



For each plugin, allocate the mime type associated with it.

dom/src/base/nsPluginArray.cpp:405

nsresult

nsPluginElement::GetMimeTypes()

{

  nsresult rv = mPlugin->GetLength(&mMimeTypeCount);

  if (rv == NS_OK) {

    mMimeTypeArray = new nsIDOMMimeType*[mMimeTypeCount];

    if (mMimeTypeArray == nsnull)

      return NS_ERROR_OUT_OF_MEMORY;

    for (PRUint32 i = 0; i < mMimeTypeCount; i++) {

      nsCOMPtr<nsIDOMMimeType> mimeType;

      rv = mPlugin->Item(i, getter_AddRefs(mimeType));

      if (rv != NS_OK)

        break;

      mimeType = new nsMimeType(this, mimeType);    // XXX: /this/
contains our dangling reference

      NS_IF_ADDREF(mMimeTypeArray[i] = mimeType);

    }

  }

  return rv;

}



Reload the entire plugin array

dom/src/base/nsPluginArray.cpp:199

NS_IMETHODIMP

nsPluginArray::Refresh(PRBool aReloadDocuments)

{

  nsresult res = NS_OK;

  if (!AllowPlugins())

    return NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA;



Delete every element of an nsPluginArray

dom/src/base/nsPluginArray.cpp:236

  if (mPluginArray != nsnull) {

    for (PRUint32 i = 0; i < mPluginCount; i++) 

      NS_IF_RELEASE(mPluginArray[i]);               // XXX



    delete[] mPluginArray;

  }





Version(s)  tested: FireFox 3.5.6

Platform(s) tested: Windows XP SP3



-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
Comment 1 Reed Loden [:reed] (use needinfo?) 2010-01-06 20:17:57 PST
Did TippingPoint provide a testcase?
Comment 2 Brandon Sterne (:bsterne) 2010-01-07 09:25:13 PST
No, they didn't.  I'll see if they have one.
Comment 4 Olli Pettay [:smaug] 2010-02-08 07:16:33 PST
Created attachment 425799 [details] [diff] [review]
simple fix

This is the smallest fix I could think of.
On trunk we should convert all those raw arrays to nsCOMArray or
nsTArray.
I also filed a followup bug 544875.
Comment 5 Olli Pettay [:smaug] 2010-02-11 03:14:24 PST
http://hg.mozilla.org/mozilla-central/rev/0068be501633
Comment 6 Daniel Veditz [:dveditz] 2010-02-19 13:15:14 PST
Comment on attachment 425799 [details] [diff] [review]
simple fix

Approved for 1.9.2.2, 1.9.1.9 and 1.9.0.19, a=dveditz for release-drivers
Comment 7 Mike Beltzner [:beltzner, not reading bugmail] 2010-03-03 13:41:22 PST
Are we waiting on anything for landing these?
Comment 8 Olli Pettay [:smaug] 2010-03-03 13:45:00 PST
Nope. I'll land this tomorrow.
Comment 11 Al Billings [:abillings] 2010-03-11 14:15:44 PST
Verified for 1.9.0 using PoC with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19pre) Gecko/2010031106 GranParadiso/3.0.19pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9pre) Gecko/20100311 Shiretoko/3.5.9pre (.NET CLR 3.5.30729).

Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2pre) Gecko/20100311 Namoroka/3.6.2pre (.NET CLR 3.5.30729).

Note You need to log in before you can comment on or make changes to this bug.