• This repository has been archived on 27/Dec/2023
  • Stars
    star
    228
  • Rank 175,267 (Top 4 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created over 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.

CVE-2019-9810 Exploit for Firefox on Windows

CVE-2019-9810 is a vulnerability that has been found and exploited at Pwn2Own 2019 by Richard Zhu and Amat Cama. It affects Mozilla's JavaScript engine, Spidermonkey and was used to achieve renderer compromise.

The issue has been fixed in mfsa2019-09 about two months ago.

Overview of the issue

In a nutshell the bug allows for a check bounds to be found redundant and optimized away allowing code to access out of bounds memory. The issue itself lies in the Alias Analysis pass of Ion's pipeline. The below picture highlights the consequence of the bug in the GVN optimization (bounds check being optimized away) pass and serves as a good summary if this is what you are looking for:

summary

If you want to know more about it though, I would recommend to have a look at A journey into IonMonkey: root-causing CVE-2019-9810.

Organization

The repository contains the exploit code as well as a bunch of tools that I had previously developed for my blazefox exploits. I have just brushed them up and made them work with BigInt. As a result, the exploit assumes that the support for BigInt is turned on in Firefox which you can do by toggling javascript.options.bigint in about:config.

bigint

The exploit has been tested against Windows RS5 64-bit and it targets a custom build of Firefox so don't be surprised if a bit of work is required to make it work elsewhere :). However, if you just feel like running the exploit without compiling anything, I prepared a packaged browser that I uploaded in release/firefox-68.0a1.en-US.win64.7z. It also includes the js.exe shell as well as private symbol information for js.exe, firefox.exe and xul.dll.

The exploitation process works very similarly than in my previous kaizen.js exploit as mentioned above. It dispatches execution on the ReflectiveLoader of a reflective dll that implements the payload:

  1. If the payload detects that it is invoked by js.exe, it simply spams stdout with PWN, spawns a calculator and exits.
  2. If it is run from the browser, it starts by injecting itself into other Firefox.exe processes. To achieve that, the Javascript exploit passes a pointer to the reflective dll copy, and the reflective dll maps it in the other processes. Once this is accomplished, it creates a remote thread on the reflective loader and takes a nap. The reason for that is that the exploit is pretty dirty in its current state and doesn't implement process continuation. Altough, at this point I don't think it would be a lot of work. Maybe I'll get around of do it :-).
  3. When the payload gets executed from other Firefox.exe's, it inline-hooks the xul!nsJSUtils::ExecutionContext::Compile function. This function gets executed when scripts need to be evaluated by the JavaScript engine; so this sounded like a good enough candidate for what I wanted to do. The hooked version simply prepends an arbitrary JavaScript payload of our choice.
  4. When the hook is placed, it simply returns. At this point, the other origins have had arbitrary JavaScript injected in them. The payload I use is simply to change the background image of those origins by the Diary of a reverse-engineer theme picture, as well as redirecting every links to the blog :).

In reality, there are a bunch of more subtle details that are not described by the above and so if you are interested you are invited to go find the truth and read the sources :).

Building the payload

To build the payload, you just have to run nmake from a VS 2017 x64 prompt.

CVE-2019-9810\payload>nmake

Microsoft (R) Program Maintenance Utility Version 14.16.27027.1
Copyright (C) Microsoft Corporation.  All rights reserved.

        ml64 /c src\trampoline.asm
Microsoft (R) Macro Assembler (x64) Version 14.16.27027.1
Copyright (C) Microsoft Corporation.  All rights reserved.

 Assembling: src\trampoline.asm
        if not exist .\bin mkdir bin
        type injected-script.js > src\injected-script.h
        cl /O1 /nologo /W3 /D_AMD64_ /DWIN_X64 /DREFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN /Febin\payload.dll src\ReflectiveLoader.c src\ReflectiveDll.cc trampoline.obj /link /DLL /nologo /debug:full /PDBALTPATH:%_PDB%
ReflectiveLoader.c
Generating Code...
Compiling...
ReflectiveDll.cc
Generating Code...
   Creating library bin\payload.lib and object bin\payload.exp
        python jsify_payload.py bin\payload.dll
        move payload.js ..
        1 file(s) moved.
        del *.obj
        del src\injected-script.h
        if exist .\bin del bin\*.exp bin\*.ilk bin\*.lib

This creates a payload.dll / payload.pdb file inside the payload\bin directory. As well as a JavaScript file called payload.js which embeds the dll inside an Uint8Array with the offset to the loader.

Building Firefox

I wrote this exploit against a local Windows build synchronized to the following revision id: 2abb636ad481768b7c88619080cf224b2c266b2d (if you don't feel like building it yourself, I've uploaded my build here: release/firefox-68.0a1.en-US.win64.7z):

$ hg --debug id -i
2abb636ad481768b7c88619080cf224b2c266b2d

And I have used the following mozconfig file:

. "$topsrcdir/browser/config/mozconfigs/win64/common-win64"

ac_add_options --disable-crashreporter
ac_add_options --enable-debug-symbols

. "$topsrcdir/build/mozconfig.clang-cl"
. "$topsrcdir/build/mozconfig.lld-link"

# Use the clang version in .mozbuild
CLANG_LIB_DIR="$(cd ~/.mozbuild/clang/lib/clang/*/lib/windows && pwd)"
export LIB=$LIB:$CLANG_LIB_DIR

ac_add_options --enable-js-shell
ac_add_options --enable-jitspew
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-ff64

Discussion

Although it was fine for my purpose, I am unsure xul!nsJSUtils::ExecutionContext::Compile is the perfect function for inserting arbitrary scripts. I am sure spending more time understanding a bit how works the xul front-end one could come up with a better hooking point.

Another couple of avenues that I discovered after writing the exploit are discussed in this bugzilla entry: 982974 (System principal for the JavaScript interpreter and security.turn_off_all_security_so_that_viruses_can_take_over_this_computer). It would be interesting to see how much of it is still relevant to Firefox today.

Maybe somebody already researched this subject and I completely missed it. In any case, feel free to ping me with any feedback!

Another interesting thing would be to explore if there any way to have a persistence mechanism with in the browser. I haven't researched this area at all but that would be pretty cool :).

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,804
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,472
star
3

CVE-2021-31166

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
Python
824
star
4

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
617
star
5

stuffz

Basically a script thrift shop
C
589
star
6

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
315
star
7

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
306
star
8

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
294
star
9

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
10

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
232
star
11

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
217
star
12

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
193
star
13

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
193
star
14

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
148
star
15

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
16

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
121
star
17

sic

Enumerate user mode shared memory mappings on Windows.
C
114
star
18

ollydbg2-python

Scripting OllyDBG2 using Python is now possible!
C++
110
star
19

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
110
star
20

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
110
star
21

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
86
star
22

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
86
star
23

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
84
star
24

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
25

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
66
star
26

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
27

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
57
star
29

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
57
star
30

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
40
star
31

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
32

inject

Yet another Windows DLL injector.
C++
38
star
33

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
32
star
34

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
31
star
35

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
25
star
36

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
21
star
37

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
11
star
38

dbgeng-rs

Rust binding for the dbgeng COM interfaces.
Rust
11
star
39

articles

Mirror of the different PDF articles I wrote
10
star
40

0vercl0k

5
star
41

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
42

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files
Rust
4
star
43

rp2s

3
star
44

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star