Closed Bug 735104 Opened 12 years ago Closed 12 years ago

Array toString Remote Code Execution (ZDI-CAN-1549)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 720079

People

(Reporter: dveditz, Unassigned)

Details

(Whiteboard: [sg:dupe 720079])

Attachments

(1 file)

shell testcase
131 bytes, text/plain
Details 
ZDI-CAN-1549: Mozilla Firefox Array toString Remote Code Execution
Vulnerability


- -- CVSS -----------------------------------------

9, AV:N/AC:L/Au:N/C:P/I:P/A:C


- -- ABSTRACT -------------------------------------

TippingPoint has identified a vulnerability affecting the following
products:

  Mozilla Firefox


- -- VULNERABILITY DETAILS ------------------------

/*
js/src/jsarray.cpp
array_join calls array_toString_sub
which has:
...
        const Value *beg = obj->getDenseArrayElements();
        const Value *end = beg + Min(length,
obj->getDenseArrayInitializedLength());
        for (const Value *vp = beg; vp != end; ++vp) {
            if (!JS_CHECK_OPERATION_LIMIT(cx))
                return false;

            if (!vp->isMagic(JS_ARRAY_HOLE) && !vp->isNullOrUndefined()) {
                if (!ValueToStringBuffer(cx, *vp, sb))
                    return false;
            }
...
ValueToStringBuffer calls back to javascript using a toString function,
we can change the array from under it, without beg and end being
updated, and the gc
will free them since they are not marked as in use.

run in Jshell! (else, you need gc code and print code)

*/

- -- CREDIT ---------------------------------------

This vulnerability was discovered by:

   Vincenzo Iozzo
Attached file shell testcase 
PoC from ZDI (not an exploit)
This is a blatant duplicate of bug 720079 and bug 720511.  As those are both fixed in all branches now, I don't think this affects 10.0.3 at all -- so, bonus, we precog-fixed this for the release tomorrow or thereabouts!

But.  Is there any reason whatsoever to believe the exploit wasn't cobbled together by looking at the trunk, aurora, beta, or even ESR (!) pushlogs?  At the very least I guess this is useful information for future bugfixing.  (So, how about that shadow-central thing again?  :-\ )
Whiteboard: [sg:critical]
According to bug 720079 comment 11, the regressing bug landed well after 1.9.2, so apparently 3.6.x should not be affected.
I verified that the test does not crash on central, aurora, beta and release (64 bit debug shells). Also tested 1.9.2. and it does not crash either.

ESR is pending as I need to clone it first.
Verified fixed also on ESR-10.
> Verified fixed also on ESR-10.

Also does not crash on ESR 10 tip changeset 046308ccc9e2 using 32-bit debug and opt shell on Mac OS X Lion.
> According to bug 720079 comment 11, the regressing bug landed well after
> 1.9.2, so apparently 3.6.x should not be affected.

Just to reiterate, the regressing bug is bug 587257, which landed in April 2011.

> I verified that the test does not crash on central, aurora, beta and release
> (64 bit debug shells). Also tested 1.9.2. and it does not crash either.

Also verified not to crash on mozilla-beta, mozilla-aurora and mozilla-central tip using 32-bit debug and opt js shells in Mac OS X Lion.
decoder DID check that the testcase crashed an old aurora build so we know the testcase went from crashing to fixed, and it's not just that we're running it differently than ZDI.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] → [sg:dupe 720079]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: