Closed Bug 648100 (CVE-2011-0085) Opened 14 years ago Closed 14 years ago

Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability (ZDI-CAN-1203)

Categories

(Core :: XUL, defect)

1.9.2 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox5 - unaffected
firefox6 - unaffected
firefox7 - unaffected
status2.0 --- unaffected
blocking1.9.2 --- .18+
status1.9.2 --- .18-fixed
status1.9.1 --- wanted

People

(Reporter: bsterne, Assigned: enndeakin)

References

Details

(Keywords: verified1.9.2, Whiteboard: [sg:critical][needs 1.9.2 testing])

Attachments

(1 file)

Attached file PoC
ZDI-CAN-1203: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability -- CVSS ---------------------------------------------------------------- 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- ABSTRACT ------------------------------------------------------------ TippingPoint has identified a vulnerability affecting the following products: Mozilla Firefox -- VULNERABILITY DETAILS ----------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within nsXULCommandDispatcher.cpp. During a NS_XUL_COMMAND_UPDATE event dispatch, the user is able to force command dispatcher to remove all the updaters in the mUpdaters chain including the one that is currently in use. As a result, the local variable updater becomes a stale pointer and updater->mNext refers to memory previously freed. Successful exploitation can lead to code execution in the context of the browser. Version(s) tested: 3.6.16 Platform(s) tested: Windows XP SP3 dispatcher-use-after-free1.xul results in the following crash: (700.4b0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000001 ecx=0012e7e4 edx=c1c2c3c8 esi=0012ec4c edi=0012ec4c eip=101a501e esp=0012e7dc ebp=c1c2c3c8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 xul!nsXULCommandDispatcher::Matches+0xe: 101a501e 395d04 cmp dword ptr [ebp+4],ebx ss:0023:c1c2c3cc=???????? 0:000> k ChildEBP RetAddr 0012e7ec 1008d44b xul!nsXULCommandDispatcher::Matches+0xe [content\xul\document\src\nsxulcommanddispatcher.cpp @ 462] 0012e8fc 1027415b xul!nsXULCommandDispatcher::UpdateCommands+0x9b [content\xul\document\src\nsxulcommanddispatcher.cpp @ 412] 0012e910 10118e9e xul!NS_InvokeByIndex_P+0x27 [xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 103] 0012eba8 10114cb3 xul!XPCWrappedNative::CallMethod+0x52e [js\src\xpconnect\src\xpcwrappednative.cpp @ 2722] 0012ec74 0051790d xul!XPC_WN_CallMethod+0x173 [js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1740] 0012ed28 0051c654 js3250!js_Invoke+0x42d [js\src\jsinterp.cpp @ 1360] 0012ef64 00517766 js3250!js_Interpret+0x29c4 [js\src\jsops.cpp @ 2241] 0012f008 0050c1f3 js3250!js_Invoke+0x286 [js\src\jsinterp.cpp @ 1368] 0012f038 004ef727 js3250!js_InternalInvoke+0x103 [js\src\jsinterp.cpp @ 1423] 0012f060 101870a8 js3250!JS_CallFunctionValue+0x27 [js\src\jsapi.cpp @ 5115] 0012f0dc 1018bef3 xul!nsJSContext::CallEventHandler+0x188 [dom\base\nsjsenvironment.cpp @ 2198] 0012f288 1008673f xul!nsJSEventListener::HandleEvent+0x223 [dom\src\events\nsjseventlistener.cpp @ 269] 0012f378 1012b311 xul!nsEventListenerManager::HandleEventSubType+0x38 [content\events\src\nseventlistenermanager.cpp @ 1041] 0012f3d8 1012ad41 xul!nsEventListenerManager::HandleEvent+0x281 [content\events\src\nseventlistenermanager.cpp @ 1147] 0012f420 10117418 xul!nsEventTargetChainItem::HandleEventTargetChain+0x281 [content\events\src\nseventdispatcher.cpp @ 312] 0012f4ac 10071f3a xul!nsEventDispatcher::Dispatch+0x478 [content\events\src\nseventdispatcher.cpp @ 577] 0012f518 1008023c xul!DocumentViewerImpl::LoadComplete+0x100 [layout\base\nsdocumentviewer.cpp @ 1036] 0012f708 10095402 xul!nsDocShell::EndPageLoad+0xda [docshell\base\nsdocshell.cpp @ 5722] 0012f730 100da833 xul!nsDocShell::OnStateChange+0xa2 [docshell\base\nsdocshell.cpp @ 5587] 0012f76c 100417d3 xul!nsDocLoader::FireOnStateChange+0x123 [uriloader\base\nsdocloader.cpp @ 1314] 0012f780 10084015 xul!nsDocLoader::doStopDocumentLoad+0x1c [uriloader\base\nsdocloader.cpp @ 937] 0012f7b0 100aba6b xul!nsDocLoader::DocLoaderIsEmpty+0x155 [uriloader\base\nsdocloader.cpp @ 804] 0012f7dc 10174d00 xul!nsDocLoader::OnStopRequest+0xdb [uriloader\base\nsdocloader.cpp @ 697] 0012f810 101ad388 xul!nsLoadGroup::RemoveRequest+0xc0 [netwerk\base\src\nsloadgroup.cpp @ 680] 0012f830 101acc20 xul!nsDocument::DoUnblockOnload+0x4f [content\base\src\nsdocument.cpp @ 7179] 0012f838 101acc75 xul!nsDocument::UnblockOnload+0x5d [content\base\src\nsdocument.cpp @ 7120] 0012f84c 10020f4d xul!nsBindingManager::DoProcessAttachedQueue+0x53 [content\xbl\src\nsbindingmanager.cpp @ 996] 0012f850 100f41d0 xul!nsRunnableMethod<nsBindingManager,void>::Run+0xe [obj-firefox\dist\include\nsthreadutils.h @ 283] 0012f880 101a0552 xul!nsThread::ProcessNextEvent+0x210 [xpcom\threads\nsthread.cpp @ 533] 0012f8a8 10230895 xul!NS_ProcessPendingEvents_P+0x25 [obj-firefox\xpcom\build\nsthreadutils.cpp @ 200] 0012f8b4 103f2535 xul!nsWindow::DispatchPendingEvents+0x2f [widget\src\windows\nswindow.cpp @ 3143] 0012f9b8 100d00e5 xul!nsWindow::ProcessMessage+0x337915 0012f9f4 7e368734 xul!nsWindow::WindowProc+0xf5 [widget\src\windows\nswindow.cpp @ 3727] 0012fa20 7e368816 USER32!InternalCallWinProc+0x28 0012fa88 7e3689cd USER32!UserCallWinProcCheckWow+0x150 0012fae8 7e368a10 USER32!DispatchMessageWorker+0x306 0012faf8 100d23ae USER32!DispatchMessageW+0xf 0012fb64 100d25c7 xul!nsAppShell::ProcessNextNativeEvent+0xae [widget\src\windows\nsappshell.cpp @ 179] 0012fb84 100f4115 xul!nsBaseAppShell::OnProcessNextEvent+0x1f7 [widget\src\xpwidgets\nsbaseappshell.cpp @ 299] 0012fbc0 1015f939 xul!nsThread::ProcessNextEvent+0x155 [xpcom\threads\nsthread.cpp @ 510] 0012fc00 1022a073 xul!mozilla::ipc::MessagePump::Run+0x69 [ipc\glue\messagepump.cpp @ 110] 0012fc3c 1022a03b xul!MessageLoop::RunHandler+0x26 [ipc\chromium\src\base\message_loop.cc @ 200] 0012fc74 10229140 xul!MessageLoop::Run+0x1f [ipc\chromium\src\base\message_loop.cc @ 174] 0012fc80 1022a1eb xul!nsBaseAppShell::Run+0x34 [widget\src\xpwidgets\nsbaseappshell.cpp @ 180] 0012fc8c 1002e9fd xul!nsAppStartup::Run+0x1e [toolkit\components\startup\src\nsappstartup.cpp @ 184] 0012ff34 0040133b xul!XRE_main+0xdc3 [toolkit\xre\nsapprunner.cpp @ 3485] 0012ff80 004016c2 firefox!wmain+0x33b [toolkit\xre\nswindowswmain.cpp @ 120] 0012ffc0 7c817077 firefox!__tmainCRTStartup+0x152 [obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591] 0012fff0 00000000 kernel32!BaseProcessStart+0x23 dispatcher-use-after-free2.xul demonstrates EIP control and results in the following crash: (574.614): Access violation - code c0000005 (!!! second chance !!!) eax=0c301010 ebx=0c301021 ecx=0c301014 edx=c1c2c3c4 esi=0012eb48 edi=0012eb28 eip=c1c2c3c4 esp=0012eb0c ebp=0012ec3c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 c1c2c3c4 ?? ??? -- CREDIT -------------------------------------------------------------- This vulnerability was discovered by: * regenrecht
Whiteboard: [sg:critical]
This is bug 583948.
Neil, it looks like you fixed this over in bug 583948 on trunk. Could you land the fix on 1.9.2, assuming that makes sense as a way to fix this?
Assignee: nobody → enndeakin
Neil, does it make sense to do the backport asked about above?
blocking1.9.2: --- → .18+
Depends on: 583948
Neil, any thoughts here?
Attached patch 1.9.2 patchSplinter Review
I'm unable to test this right now, but it should work.
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.2 testing]
Attachment #537034 - Flags: feedback?(dveditz)
Neil, do you have time to test the fix today?
No, I can no longer build 1.9.2
Comment on attachment 537034 [details] [diff] [review] 1.9.2 patch This patch fixes the crash in by debug Mac 3.6.18pre build.
Attachment #537034 - Flags: feedback?(dveditz) → feedback+
Comment on attachment 537034 [details] [diff] [review] 1.9.2 patch Approved for 1.9.2.18, a=dveditz
Attachment #537034 - Flags: approval1.9.2.18+
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
The PoC looks password protected, can you unclassify it please?
Password is ZDI-CAN-1203
Verified fixed in 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18) with PoC. Both XUL files cleanly crash in 1.9.1.17 but are fine post-fix.
Keywords: verified1.9.2
Alias: CVE-2011-0085
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: