Last Comment Bug 648100 - (CVE-2011-0085) Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability (ZDI-CAN-1203)
(CVE-2011-0085)
: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability (Z...
Status: RESOLVED FIXED
[sg:critical][needs 1.9.2 testing]
: verified1.9.2
Product: Core
Classification: Components
Component: XUL (show other bugs)
: 1.9.2 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Neil Deakin
:
Mentors:
Depends on: 583948
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-06 13:36 PDT by Brandon Sterne (:bsterne)
Modified: 2011-07-12 09:06 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
unaffected
-
unaffected
-
unaffected
unaffected
.18+
.18-fixed
wanted


Attachments
1.9.2 patch (4.46 KB, patch)
2011-06-02 17:24 PDT, Neil Deakin
dveditz: feedback+
dveditz: approval1.9.2.18+
Details | Diff | Splinter Review

Description Brandon Sterne (:bsterne) 2011-04-06 13:36:42 PDT
Created attachment 524251 [details]
PoC

ZDI-CAN-1203: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability

-- CVSS ----------------------------------------------------------------
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following products:

    Mozilla Firefox

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firefox. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within nsXULCommandDispatcher.cpp. During a NS_XUL_COMMAND_UPDATE event dispatch, the user is able to force command
dispatcher to remove all the updaters in the mUpdaters chain including the one that is currently in use. As a result, the local variable updater becomes a stale pointer and updater->mNext refers to memory previously freed. Successful exploitation can lead to code execution in the context of the browser.

Version(s)  tested: 3.6.16
Platform(s) tested: Windows XP SP3


dispatcher-use-after-free1.xul results in the following crash:

(700.4b0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=0012e7e4 edx=c1c2c3c8 esi=0012ec4c
edi=0012ec4c
eip=101a501e esp=0012e7dc ebp=c1c2c3c8 iopl=0         nv up ei pl nz ac
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00000216
xul!nsXULCommandDispatcher::Matches+0xe:
101a501e 395d04          cmp     dword ptr [ebp+4],ebx
ss:0023:c1c2c3cc=????????
0:000> k
ChildEBP RetAddr
0012e7ec 1008d44b xul!nsXULCommandDispatcher::Matches+0xe
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 462] 0012e8fc
1027415b xul!nsXULCommandDispatcher::UpdateCommands+0x9b
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 412]
0012e910 10118e9e xul!NS_InvokeByIndex_P+0x27
[xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 103]
0012eba8 10114cb3 xul!XPCWrappedNative::CallMethod+0x52e
[js\src\xpconnect\src\xpcwrappednative.cpp @ 2722]
0012ec74 0051790d xul!XPC_WN_CallMethod+0x173
[js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1740]
0012ed28 0051c654 js3250!js_Invoke+0x42d [js\src\jsinterp.cpp @ 1360]
0012ef64 00517766 js3250!js_Interpret+0x29c4 [js\src\jsops.cpp @ 2241]
0012f008 0050c1f3 js3250!js_Invoke+0x286 [js\src\jsinterp.cpp @ 1368]
0012f038 004ef727 js3250!js_InternalInvoke+0x103 [js\src\jsinterp.cpp @
1423]
0012f060 101870a8 js3250!JS_CallFunctionValue+0x27 [js\src\jsapi.cpp @
5115] 0012f0dc 1018bef3 xul!nsJSContext::CallEventHandler+0x188
[dom\base\nsjsenvironment.cpp @ 2198]
0012f288 1008673f xul!nsJSEventListener::HandleEvent+0x223
[dom\src\events\nsjseventlistener.cpp @ 269]
0012f378 1012b311 xul!nsEventListenerManager::HandleEventSubType+0x38
[content\events\src\nseventlistenermanager.cpp @ 1041]
0012f3d8 1012ad41 xul!nsEventListenerManager::HandleEvent+0x281
[content\events\src\nseventlistenermanager.cpp @ 1147]
0012f420 10117418
xul!nsEventTargetChainItem::HandleEventTargetChain+0x281
[content\events\src\nseventdispatcher.cpp @ 312] 0012f4ac 10071f3a
xul!nsEventDispatcher::Dispatch+0x478
[content\events\src\nseventdispatcher.cpp @ 577]
0012f518 1008023c xul!DocumentViewerImpl::LoadComplete+0x100
[layout\base\nsdocumentviewer.cpp @ 1036]
0012f708 10095402 xul!nsDocShell::EndPageLoad+0xda
[docshell\base\nsdocshell.cpp @ 5722]
0012f730 100da833 xul!nsDocShell::OnStateChange+0xa2
[docshell\base\nsdocshell.cpp @ 5587] 0012f76c 100417d3
xul!nsDocLoader::FireOnStateChange+0x123 [uriloader\base\nsdocloader.cpp
@ 1314]
0012f780 10084015 xul!nsDocLoader::doStopDocumentLoad+0x1c
[uriloader\base\nsdocloader.cpp @ 937]
0012f7b0 100aba6b xul!nsDocLoader::DocLoaderIsEmpty+0x155
[uriloader\base\nsdocloader.cpp @ 804] 0012f7dc 10174d00
xul!nsDocLoader::OnStopRequest+0xdb [uriloader\base\nsdocloader.cpp @
697]
0012f810 101ad388 xul!nsLoadGroup::RemoveRequest+0xc0
[netwerk\base\src\nsloadgroup.cpp @ 680]
0012f830 101acc20 xul!nsDocument::DoUnblockOnload+0x4f
[content\base\src\nsdocument.cpp @ 7179]
0012f838 101acc75 xul!nsDocument::UnblockOnload+0x5d
[content\base\src\nsdocument.cpp @ 7120] 0012f84c 10020f4d
xul!nsBindingManager::DoProcessAttachedQueue+0x53
[content\xbl\src\nsbindingmanager.cpp @ 996]
0012f850 100f41d0 xul!nsRunnableMethod<nsBindingManager,void>::Run+0xe
[obj-firefox\dist\include\nsthreadutils.h @ 283]
0012f880 101a0552 xul!nsThread::ProcessNextEvent+0x210
[xpcom\threads\nsthread.cpp @ 533]
0012f8a8 10230895 xul!NS_ProcessPendingEvents_P+0x25
[obj-firefox\xpcom\build\nsthreadutils.cpp @ 200]
0012f8b4 103f2535 xul!nsWindow::DispatchPendingEvents+0x2f
[widget\src\windows\nswindow.cpp @ 3143]
0012f9b8 100d00e5 xul!nsWindow::ProcessMessage+0x337915
0012f9f4 7e368734 xul!nsWindow::WindowProc+0xf5
[widget\src\windows\nswindow.cpp @ 3727]
0012fa20 7e368816 USER32!InternalCallWinProc+0x28
0012fa88 7e3689cd USER32!UserCallWinProcCheckWow+0x150
0012fae8 7e368a10 USER32!DispatchMessageWorker+0x306
0012faf8 100d23ae USER32!DispatchMessageW+0xf
0012fb64 100d25c7 xul!nsAppShell::ProcessNextNativeEvent+0xae
[widget\src\windows\nsappshell.cpp @ 179]
0012fb84 100f4115 xul!nsBaseAppShell::OnProcessNextEvent+0x1f7
[widget\src\xpwidgets\nsbaseappshell.cpp @ 299]
0012fbc0 1015f939 xul!nsThread::ProcessNextEvent+0x155
[xpcom\threads\nsthread.cpp @ 510]
0012fc00 1022a073 xul!mozilla::ipc::MessagePump::Run+0x69
[ipc\glue\messagepump.cpp @ 110] 0012fc3c 1022a03b
xul!MessageLoop::RunHandler+0x26 [ipc\chromium\src\base\message_loop.cc
@ 200]
0012fc74 10229140 xul!MessageLoop::Run+0x1f
[ipc\chromium\src\base\message_loop.cc @ 174]
0012fc80 1022a1eb xul!nsBaseAppShell::Run+0x34
[widget\src\xpwidgets\nsbaseappshell.cpp @ 180] 0012fc8c 1002e9fd
xul!nsAppStartup::Run+0x1e
[toolkit\components\startup\src\nsappstartup.cpp @ 184]
0012ff34 0040133b xul!XRE_main+0xdc3 [toolkit\xre\nsapprunner.cpp @
3485]
0012ff80 004016c2 firefox!wmain+0x33b [toolkit\xre\nswindowswmain.cpp @
120]
0012ffc0 7c817077 firefox!__tmainCRTStartup+0x152
[obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591]
0012fff0 00000000 kernel32!BaseProcessStart+0x23 

dispatcher-use-after-free2.xul demonstrates EIP control and results in
the following crash:

(574.614): Access violation - code c0000005 (!!! second chance !!!)
eax=0c301010 ebx=0c301021 ecx=0c301014 edx=c1c2c3c4 esi=0012eb48
edi=0012eb28
eip=c1c2c3c4 esp=0012eb0c ebp=0012ec3c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
c1c2c3c4 ?? ???


-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
Comment 1 Neil Deakin 2011-04-06 13:59:39 PDT
This is bug 583948.
Comment 2 David Mandelin [:dmandelin] 2011-04-14 14:00:46 PDT
Neil, it looks like you fixed this over in bug 583948 on trunk. Could you land the fix on 1.9.2, assuming that makes sense as a way to fix this?
Comment 3 Johnny Stenback (:jst, jst@mozilla.com) 2011-04-28 14:23:24 PDT
Neil, does it make sense to do the backport asked about above?
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2011-05-19 13:51:40 PDT
Neil?
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2011-06-02 13:50:47 PDT
Neil, any thoughts here?
Comment 6 Neil Deakin 2011-06-02 17:24:49 PDT
Created attachment 537034 [details] [diff] [review]
1.9.2 patch

I'm unable to test this right now, but it should work.
Comment 7 christian 2011-06-06 10:20:42 PDT
Neil, do you have time to test the fix today?
Comment 8 Neil Deakin 2011-06-06 12:13:32 PDT
No, I can no longer build 1.9.2
Comment 9 Daniel Veditz [:dveditz] 2011-06-08 23:42:18 PDT
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

This patch fixes the crash in by debug Mac 3.6.18pre build.
Comment 10 Daniel Veditz [:dveditz] 2011-06-08 23:56:01 PDT
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

Approved for 1.9.2.18, a=dveditz
Comment 11 Daniel Veditz [:dveditz] 2011-06-09 00:02:04 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2f84a687522f
Comment 12 Martin Stránský 2011-06-13 08:03:45 PDT
The PoC looks password protected, can you unclassify it please?
Comment 13 Brandon Sterne (:bsterne) 2011-06-13 13:14:31 PDT
Password is ZDI-CAN-1203
Comment 14 Al Billings [:abillings] 2011-06-14 14:20:00 PDT
Verified fixed in 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18) with PoC. Both XUL files cleanly crash in 1.9.1.17 but are fine post-fix.

Note You need to log in before you can comment on or make changes to this bug.