The default bug view has changed. See this FAQ.
Bug 648100 (CVE-2011-0085)

Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability (ZDI-CAN-1203)

RESOLVED FIXED

Status

()

Core
XUL
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: bsterne, Assigned: Neil Deakin)

Tracking

({verified1.9.2})

1.9.2 Branch
verified1.9.2
Points:
---

Firefox Tracking Flags

(firefox5- unaffected, firefox6- unaffected, firefox7- unaffected, status2.0 unaffected, blocking1.9.2 .18+, status1.9.2 .18-fixed, status1.9.1 wanted)

Details

(Whiteboard: [sg:critical][needs 1.9.2 testing])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 524251 [details]
PoC

ZDI-CAN-1203: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability

-- CVSS ----------------------------------------------------------------
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following products:

    Mozilla Firefox

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firefox. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within nsXULCommandDispatcher.cpp. During a NS_XUL_COMMAND_UPDATE event dispatch, the user is able to force command
dispatcher to remove all the updaters in the mUpdaters chain including the one that is currently in use. As a result, the local variable updater becomes a stale pointer and updater->mNext refers to memory previously freed. Successful exploitation can lead to code execution in the context of the browser.

Version(s)  tested: 3.6.16
Platform(s) tested: Windows XP SP3


dispatcher-use-after-free1.xul results in the following crash:

(700.4b0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=0012e7e4 edx=c1c2c3c8 esi=0012ec4c
edi=0012ec4c
eip=101a501e esp=0012e7dc ebp=c1c2c3c8 iopl=0         nv up ei pl nz ac
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00000216
xul!nsXULCommandDispatcher::Matches+0xe:
101a501e 395d04          cmp     dword ptr [ebp+4],ebx
ss:0023:c1c2c3cc=????????
0:000> k
ChildEBP RetAddr
0012e7ec 1008d44b xul!nsXULCommandDispatcher::Matches+0xe
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 462] 0012e8fc
1027415b xul!nsXULCommandDispatcher::UpdateCommands+0x9b
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 412]
0012e910 10118e9e xul!NS_InvokeByIndex_P+0x27
[xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 103]
0012eba8 10114cb3 xul!XPCWrappedNative::CallMethod+0x52e
[js\src\xpconnect\src\xpcwrappednative.cpp @ 2722]
0012ec74 0051790d xul!XPC_WN_CallMethod+0x173
[js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1740]
0012ed28 0051c654 js3250!js_Invoke+0x42d [js\src\jsinterp.cpp @ 1360]
0012ef64 00517766 js3250!js_Interpret+0x29c4 [js\src\jsops.cpp @ 2241]
0012f008 0050c1f3 js3250!js_Invoke+0x286 [js\src\jsinterp.cpp @ 1368]
0012f038 004ef727 js3250!js_InternalInvoke+0x103 [js\src\jsinterp.cpp @
1423]
0012f060 101870a8 js3250!JS_CallFunctionValue+0x27 [js\src\jsapi.cpp @
5115] 0012f0dc 1018bef3 xul!nsJSContext::CallEventHandler+0x188
[dom\base\nsjsenvironment.cpp @ 2198]
0012f288 1008673f xul!nsJSEventListener::HandleEvent+0x223
[dom\src\events\nsjseventlistener.cpp @ 269]
0012f378 1012b311 xul!nsEventListenerManager::HandleEventSubType+0x38
[content\events\src\nseventlistenermanager.cpp @ 1041]
0012f3d8 1012ad41 xul!nsEventListenerManager::HandleEvent+0x281
[content\events\src\nseventlistenermanager.cpp @ 1147]
0012f420 10117418
xul!nsEventTargetChainItem::HandleEventTargetChain+0x281
[content\events\src\nseventdispatcher.cpp @ 312] 0012f4ac 10071f3a
xul!nsEventDispatcher::Dispatch+0x478
[content\events\src\nseventdispatcher.cpp @ 577]
0012f518 1008023c xul!DocumentViewerImpl::LoadComplete+0x100
[layout\base\nsdocumentviewer.cpp @ 1036]
0012f708 10095402 xul!nsDocShell::EndPageLoad+0xda
[docshell\base\nsdocshell.cpp @ 5722]
0012f730 100da833 xul!nsDocShell::OnStateChange+0xa2
[docshell\base\nsdocshell.cpp @ 5587] 0012f76c 100417d3
xul!nsDocLoader::FireOnStateChange+0x123 [uriloader\base\nsdocloader.cpp
@ 1314]
0012f780 10084015 xul!nsDocLoader::doStopDocumentLoad+0x1c
[uriloader\base\nsdocloader.cpp @ 937]
0012f7b0 100aba6b xul!nsDocLoader::DocLoaderIsEmpty+0x155
[uriloader\base\nsdocloader.cpp @ 804] 0012f7dc 10174d00
xul!nsDocLoader::OnStopRequest+0xdb [uriloader\base\nsdocloader.cpp @
697]
0012f810 101ad388 xul!nsLoadGroup::RemoveRequest+0xc0
[netwerk\base\src\nsloadgroup.cpp @ 680]
0012f830 101acc20 xul!nsDocument::DoUnblockOnload+0x4f
[content\base\src\nsdocument.cpp @ 7179]
0012f838 101acc75 xul!nsDocument::UnblockOnload+0x5d
[content\base\src\nsdocument.cpp @ 7120] 0012f84c 10020f4d
xul!nsBindingManager::DoProcessAttachedQueue+0x53
[content\xbl\src\nsbindingmanager.cpp @ 996]
0012f850 100f41d0 xul!nsRunnableMethod<nsBindingManager,void>::Run+0xe
[obj-firefox\dist\include\nsthreadutils.h @ 283]
0012f880 101a0552 xul!nsThread::ProcessNextEvent+0x210
[xpcom\threads\nsthread.cpp @ 533]
0012f8a8 10230895 xul!NS_ProcessPendingEvents_P+0x25
[obj-firefox\xpcom\build\nsthreadutils.cpp @ 200]
0012f8b4 103f2535 xul!nsWindow::DispatchPendingEvents+0x2f
[widget\src\windows\nswindow.cpp @ 3143]
0012f9b8 100d00e5 xul!nsWindow::ProcessMessage+0x337915
0012f9f4 7e368734 xul!nsWindow::WindowProc+0xf5
[widget\src\windows\nswindow.cpp @ 3727]
0012fa20 7e368816 USER32!InternalCallWinProc+0x28
0012fa88 7e3689cd USER32!UserCallWinProcCheckWow+0x150
0012fae8 7e368a10 USER32!DispatchMessageWorker+0x306
0012faf8 100d23ae USER32!DispatchMessageW+0xf
0012fb64 100d25c7 xul!nsAppShell::ProcessNextNativeEvent+0xae
[widget\src\windows\nsappshell.cpp @ 179]
0012fb84 100f4115 xul!nsBaseAppShell::OnProcessNextEvent+0x1f7
[widget\src\xpwidgets\nsbaseappshell.cpp @ 299]
0012fbc0 1015f939 xul!nsThread::ProcessNextEvent+0x155
[xpcom\threads\nsthread.cpp @ 510]
0012fc00 1022a073 xul!mozilla::ipc::MessagePump::Run+0x69
[ipc\glue\messagepump.cpp @ 110] 0012fc3c 1022a03b
xul!MessageLoop::RunHandler+0x26 [ipc\chromium\src\base\message_loop.cc
@ 200]
0012fc74 10229140 xul!MessageLoop::Run+0x1f
[ipc\chromium\src\base\message_loop.cc @ 174]
0012fc80 1022a1eb xul!nsBaseAppShell::Run+0x34
[widget\src\xpwidgets\nsbaseappshell.cpp @ 180] 0012fc8c 1002e9fd
xul!nsAppStartup::Run+0x1e
[toolkit\components\startup\src\nsappstartup.cpp @ 184]
0012ff34 0040133b xul!XRE_main+0xdc3 [toolkit\xre\nsapprunner.cpp @
3485]
0012ff80 004016c2 firefox!wmain+0x33b [toolkit\xre\nswindowswmain.cpp @
120]
0012ffc0 7c817077 firefox!__tmainCRTStartup+0x152
[obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591]
0012fff0 00000000 kernel32!BaseProcessStart+0x23 

dispatcher-use-after-free2.xul demonstrates EIP control and results in
the following crash:

(574.614): Access violation - code c0000005 (!!! second chance !!!)
eax=0c301010 ebx=0c301021 ecx=0c301014 edx=c1c2c3c4 esi=0012eb48
edi=0012eb28
eip=c1c2c3c4 esp=0012eb0c ebp=0012ec3c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
c1c2c3c4 ?? ???


-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
status2.0: --- → unaffected
Whiteboard: [sg:critical]
(Assignee)

Comment 1

6 years ago
This is bug 583948.
Neil, it looks like you fixed this over in bug 583948 on trunk. Could you land the fix on 1.9.2, assuming that makes sense as a way to fix this?
Assignee: nobody → enndeakin
Neil, does it make sense to do the backport asked about above?
tracking-firefox5: --- → -
Neil?
status-firefox5: --- → unaffected
tracking-firefox6: --- → -
blocking1.9.2: --- → .18+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
status-firefox5: unaffected → ---
tracking-firefox6: - → ---
Depends on: 583948
Neil, any thoughts here?

Updated

6 years ago
status-firefox5: --- → fixed
status-firefox6: --- → fixed
status-firefox7: --- → fixed
tracking-firefox6: --- → -
tracking-firefox7: --- → -
(Assignee)

Comment 6

6 years ago
Created attachment 537034 [details] [diff] [review]
1.9.2 patch

I'm unable to test this right now, but it should work.
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.2 testing]
Attachment #537034 - Flags: feedback?(dveditz)

Comment 7

6 years ago
Neil, do you have time to test the fix today?
(Assignee)

Comment 8

6 years ago
No, I can no longer build 1.9.2
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

This patch fixes the crash in by debug Mac 3.6.18pre build.
Attachment #537034 - Flags: feedback?(dveditz) → feedback+
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

Approved for 1.9.2.18, a=dveditz
Attachment #537034 - Flags: approval1.9.2.18+
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2f84a687522f
status1.9.2: wanted → .18-fixed
status-firefox5: fixed → unaffected
status-firefox6: fixed → unaffected
status-firefox7: fixed → unaffected
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 12

6 years ago
The PoC looks password protected, can you unclassify it please?
(Reporter)

Comment 13

6 years ago
Password is ZDI-CAN-1203
Verified fixed in 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18) with PoC. Both XUL files cleanly crash in 1.9.1.17 but are fine post-fix.
Keywords: verified1.9.2
Alias: CVE-2011-0085
Group: core-security
You need to log in before you can comment on or make changes to this bug.