Bug 648100 (CVE-2011-0085)

Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability (ZDI-CAN-1203)

RESOLVED FIXED

Status

()

Core
XUL
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: bsterne, Assigned: Neil Deakin (not available until Aug 9))

Tracking

({verified1.9.2})

1.9.2 Branch
verified1.9.2
Points:
---

Firefox Tracking Flags

(firefox5- unaffected, firefox6- unaffected, firefox7- unaffected, status2.0 unaffected, blocking1.9.2 .18+, status1.9.2 .18-fixed, status1.9.1 wanted)

Details

(Whiteboard: [sg:critical][needs 1.9.2 testing])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 524251 [details]
PoC

ZDI-CAN-1203: Mozilla Firefox nsXULCommandDispatcher Remote Code Execution Vulnerability

-- CVSS ----------------------------------------------------------------
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following products:

    Mozilla Firefox

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Firefox. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within nsXULCommandDispatcher.cpp. During a NS_XUL_COMMAND_UPDATE event dispatch, the user is able to force command
dispatcher to remove all the updaters in the mUpdaters chain including the one that is currently in use. As a result, the local variable updater becomes a stale pointer and updater->mNext refers to memory previously freed. Successful exploitation can lead to code execution in the context of the browser.

Version(s)  tested: 3.6.16
Platform(s) tested: Windows XP SP3


dispatcher-use-after-free1.xul results in the following crash:

(700.4b0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=0012e7e4 edx=c1c2c3c8 esi=0012ec4c
edi=0012ec4c
eip=101a501e esp=0012e7dc ebp=c1c2c3c8 iopl=0         nv up ei pl nz ac
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00000216
xul!nsXULCommandDispatcher::Matches+0xe:
101a501e 395d04          cmp     dword ptr [ebp+4],ebx
ss:0023:c1c2c3cc=????????
0:000> k
ChildEBP RetAddr
0012e7ec 1008d44b xul!nsXULCommandDispatcher::Matches+0xe
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 462] 0012e8fc
1027415b xul!nsXULCommandDispatcher::UpdateCommands+0x9b
[content\xul\document\src\nsxulcommanddispatcher.cpp @ 412]
0012e910 10118e9e xul!NS_InvokeByIndex_P+0x27
[xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 103]
0012eba8 10114cb3 xul!XPCWrappedNative::CallMethod+0x52e
[js\src\xpconnect\src\xpcwrappednative.cpp @ 2722]
0012ec74 0051790d xul!XPC_WN_CallMethod+0x173
[js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1740]
0012ed28 0051c654 js3250!js_Invoke+0x42d [js\src\jsinterp.cpp @ 1360]
0012ef64 00517766 js3250!js_Interpret+0x29c4 [js\src\jsops.cpp @ 2241]
0012f008 0050c1f3 js3250!js_Invoke+0x286 [js\src\jsinterp.cpp @ 1368]
0012f038 004ef727 js3250!js_InternalInvoke+0x103 [js\src\jsinterp.cpp @
1423]
0012f060 101870a8 js3250!JS_CallFunctionValue+0x27 [js\src\jsapi.cpp @
5115] 0012f0dc 1018bef3 xul!nsJSContext::CallEventHandler+0x188
[dom\base\nsjsenvironment.cpp @ 2198]
0012f288 1008673f xul!nsJSEventListener::HandleEvent+0x223
[dom\src\events\nsjseventlistener.cpp @ 269]
0012f378 1012b311 xul!nsEventListenerManager::HandleEventSubType+0x38
[content\events\src\nseventlistenermanager.cpp @ 1041]
0012f3d8 1012ad41 xul!nsEventListenerManager::HandleEvent+0x281
[content\events\src\nseventlistenermanager.cpp @ 1147]
0012f420 10117418
xul!nsEventTargetChainItem::HandleEventTargetChain+0x281
[content\events\src\nseventdispatcher.cpp @ 312] 0012f4ac 10071f3a
xul!nsEventDispatcher::Dispatch+0x478
[content\events\src\nseventdispatcher.cpp @ 577]
0012f518 1008023c xul!DocumentViewerImpl::LoadComplete+0x100
[layout\base\nsdocumentviewer.cpp @ 1036]
0012f708 10095402 xul!nsDocShell::EndPageLoad+0xda
[docshell\base\nsdocshell.cpp @ 5722]
0012f730 100da833 xul!nsDocShell::OnStateChange+0xa2
[docshell\base\nsdocshell.cpp @ 5587] 0012f76c 100417d3
xul!nsDocLoader::FireOnStateChange+0x123 [uriloader\base\nsdocloader.cpp
@ 1314]
0012f780 10084015 xul!nsDocLoader::doStopDocumentLoad+0x1c
[uriloader\base\nsdocloader.cpp @ 937]
0012f7b0 100aba6b xul!nsDocLoader::DocLoaderIsEmpty+0x155
[uriloader\base\nsdocloader.cpp @ 804] 0012f7dc 10174d00
xul!nsDocLoader::OnStopRequest+0xdb [uriloader\base\nsdocloader.cpp @
697]
0012f810 101ad388 xul!nsLoadGroup::RemoveRequest+0xc0
[netwerk\base\src\nsloadgroup.cpp @ 680]
0012f830 101acc20 xul!nsDocument::DoUnblockOnload+0x4f
[content\base\src\nsdocument.cpp @ 7179]
0012f838 101acc75 xul!nsDocument::UnblockOnload+0x5d
[content\base\src\nsdocument.cpp @ 7120] 0012f84c 10020f4d
xul!nsBindingManager::DoProcessAttachedQueue+0x53
[content\xbl\src\nsbindingmanager.cpp @ 996]
0012f850 100f41d0 xul!nsRunnableMethod<nsBindingManager,void>::Run+0xe
[obj-firefox\dist\include\nsthreadutils.h @ 283]
0012f880 101a0552 xul!nsThread::ProcessNextEvent+0x210
[xpcom\threads\nsthread.cpp @ 533]
0012f8a8 10230895 xul!NS_ProcessPendingEvents_P+0x25
[obj-firefox\xpcom\build\nsthreadutils.cpp @ 200]
0012f8b4 103f2535 xul!nsWindow::DispatchPendingEvents+0x2f
[widget\src\windows\nswindow.cpp @ 3143]
0012f9b8 100d00e5 xul!nsWindow::ProcessMessage+0x337915
0012f9f4 7e368734 xul!nsWindow::WindowProc+0xf5
[widget\src\windows\nswindow.cpp @ 3727]
0012fa20 7e368816 USER32!InternalCallWinProc+0x28
0012fa88 7e3689cd USER32!UserCallWinProcCheckWow+0x150
0012fae8 7e368a10 USER32!DispatchMessageWorker+0x306
0012faf8 100d23ae USER32!DispatchMessageW+0xf
0012fb64 100d25c7 xul!nsAppShell::ProcessNextNativeEvent+0xae
[widget\src\windows\nsappshell.cpp @ 179]
0012fb84 100f4115 xul!nsBaseAppShell::OnProcessNextEvent+0x1f7
[widget\src\xpwidgets\nsbaseappshell.cpp @ 299]
0012fbc0 1015f939 xul!nsThread::ProcessNextEvent+0x155
[xpcom\threads\nsthread.cpp @ 510]
0012fc00 1022a073 xul!mozilla::ipc::MessagePump::Run+0x69
[ipc\glue\messagepump.cpp @ 110] 0012fc3c 1022a03b
xul!MessageLoop::RunHandler+0x26 [ipc\chromium\src\base\message_loop.cc
@ 200]
0012fc74 10229140 xul!MessageLoop::Run+0x1f
[ipc\chromium\src\base\message_loop.cc @ 174]
0012fc80 1022a1eb xul!nsBaseAppShell::Run+0x34
[widget\src\xpwidgets\nsbaseappshell.cpp @ 180] 0012fc8c 1002e9fd
xul!nsAppStartup::Run+0x1e
[toolkit\components\startup\src\nsappstartup.cpp @ 184]
0012ff34 0040133b xul!XRE_main+0xdc3 [toolkit\xre\nsapprunner.cpp @
3485]
0012ff80 004016c2 firefox!wmain+0x33b [toolkit\xre\nswindowswmain.cpp @
120]
0012ffc0 7c817077 firefox!__tmainCRTStartup+0x152
[obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591]
0012fff0 00000000 kernel32!BaseProcessStart+0x23 

dispatcher-use-after-free2.xul demonstrates EIP control and results in
the following crash:

(574.614): Access violation - code c0000005 (!!! second chance !!!)
eax=0c301010 ebx=0c301021 ecx=0c301014 edx=c1c2c3c4 esi=0012eb48
edi=0012eb28
eip=c1c2c3c4 esp=0012eb0c ebp=0012ec3c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
c1c2c3c4 ?? ???


-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * regenrecht
status2.0: --- → unaffected
Whiteboard: [sg:critical]
This is bug 583948.
Neil, it looks like you fixed this over in bug 583948 on trunk. Could you land the fix on 1.9.2, assuming that makes sense as a way to fix this?
Assignee: nobody → enndeakin
Neil, does it make sense to do the backport asked about above?
tracking-firefox5: --- → -
Neil?
status-firefox5: --- → unaffected
tracking-firefox6: --- → -
blocking1.9.2: --- → .18+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
status-firefox5: unaffected → ---
tracking-firefox6: - → ---
Depends on: 583948
Neil, any thoughts here?

Updated

6 years ago
status-firefox5: --- → fixed
status-firefox6: --- → fixed
status-firefox7: --- → fixed
tracking-firefox6: --- → -
tracking-firefox7: --- → -
Created attachment 537034 [details] [diff] [review]
1.9.2 patch

I'm unable to test this right now, but it should work.
Whiteboard: [sg:critical] → [sg:critical][needs 1.9.2 testing]
Attachment #537034 - Flags: feedback?(dveditz)

Comment 7

6 years ago
Neil, do you have time to test the fix today?
No, I can no longer build 1.9.2
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

This patch fixes the crash in by debug Mac 3.6.18pre build.
Attachment #537034 - Flags: feedback?(dveditz) → feedback+
Comment on attachment 537034 [details] [diff] [review]
1.9.2 patch

Approved for 1.9.2.18, a=dveditz
Attachment #537034 - Flags: approval1.9.2.18+
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2f84a687522f
status1.9.2: wanted → .18-fixed
status-firefox5: fixed → unaffected
status-firefox6: fixed → unaffected
status-firefox7: fixed → unaffected
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 12

6 years ago
The PoC looks password protected, can you unclassify it please?
(Reporter)

Comment 13

6 years ago
Password is ZDI-CAN-1203
Verified fixed in 1.9.2.18 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110613 Firefox/3.6.18) with PoC. Both XUL files cleanly crash in 1.9.1.17 but are fine post-fix.
Keywords: verified1.9.2
Alias: CVE-2011-0085
Group: core-security
You need to log in before you can comment on or make changes to this bug.