0vercl0k / CVE-2019-11708, Hacker News

This is a full browser compromise exploit chain (CVE –******************************** – & CVE – – (targeting Firefox on Windows) – bit. It uses CVE – 9810 – for getting code execution in both the content process as well as the parent process and CVE – 27034 – 481768 to trick the parent process into browsing to an arbitrary URL .

I have covered CVE – – ‘s root-cause and exploitation in the past in A journey into IonMonkey: root-causing CVE – –article and in the associatedgithub repository.

CVE – – 481768 has been fixed by the bulletin (mfsa) – and

was and was assigned (Bug) **********************************************************in the Mozilla bug tracker. Here is the summary of the issue:

Insufficient vetting of parameters passed with the Prompt: Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.


You can find the commit addressing the issue here:Clean up prompt open calls in Prompter.jsm.
**********************************Overview of the issue
A full-write up of the issue as well as the techniques used in the exploit will be described in an upcoming article ondoar-e.github.io.

Organization
The exploithas been tested against Windows (H2) - bit and it targets a custom build of Firefox so don't be Surprised if a bit of work is required to make it work elsewhere:).
The exploit assumes that the support forBigIntis turned on in Firefox which you can do by togglingjavascript.options.bigintinabout: config
********************

The exploitation process uses a data corruption to gain privileged JS execution akaGod Mode(which is basically an implementation of a technique used in Pwn2Own 2014by Jüri Aedla) which is very different (and much more convenient) from the way I had exploitedCVE - 27034 -. This means that there is no control-flow getting hijacked during the exploit chain.
************************** The exploit uses CVE - 27034 - to perform theGod Modedata corruption and refreshes the current page. (************************************ Once it can execute privileged JS, it finds the current frame









message manager
and triggers CVE - -

Now that the parent process visited our arbitrary page, we exploit CVE - - 481768 again and get privileged JS execution there as well.

At this point the entire browser (sandbox included) is compromised. The first stage is to download and drop a local payload dubbedslimeshady.exethat you can find inpayload /which draws a bunch of animated Slime shadysprites on the desktop with GDI. The exploit also drops and injects a frame script(privileged JS) in every tab to backdoor the whole navigation (already created tabs as well as newly created ones). The tab backdooring is similar toCVE - 1559858 - / payloadin effect (arbitrary JS injected in every tabs), but this time it is implemented using a Firefox feature (Services.mm.loadFrameScript) instead of
hacky and dirty hooks.
In reality, there are a bunch of more subtle details that are not described by the above and so if you are interested you are invited to go find the truth and read the sources / future article:).****************Building the payload




To build the payload, you just have to runnmakefrom a VS (x) prompt.
CVE - 2019 - payload>nmake Microsoft (R) Program Maintenance Utility Version 16. . (**********************************************************. 0 Copyright (C) Microsoft Corporation. All rights reserved.         taskkill / f / im payload.exe ERROR: The process "payload.exe" not found.         if not exist. bin mkdir bin         python src genheaders.py sprites         cl / O1 / nologo / ZI / W3 / D_AMD _ / DWIN_X / sdl /Febinpayload.exe src payload.cc / link / nologo / debug: full user 45 .lib payload.cc         del * .obj * .pdb * .idb         if exist. bin del bin *. exp bin *. ilk bin *. lib         start. bin payload.exe

This creates apayload.exe/payload.pdbfile inside the payload bindirectory.
(****************************************************Building Firefox
I wrote this exploit against a local Windows build synchronized to the following revision id: (2abb) ************************************************************ ad
******************************************************** (b7c) ******************************************************** (cf) ********************************************************************** (b2c) ********************************************************************** b2d:
$ hg --debug id -i 2abb (ad) ******************************************************** (b7c) ****************************************************** (cf) *********************************************************************** (b2c) ****************************************************************** b2d

And I have used the following mozconfigfile:
"$ topsrcdir / browser / config / mozconfigs / win / common-win 72 ac_add_options --disable-crashreporter ac_add_options --enable-debug-symbols . "$ topsrcdir / build / mozconfig.clang-cl" . "$ topsrcdir / build / mozconfig.lld-link" # Use the clang version in .mozbuild CLANG_LIB_DIR="$ (cd ~ / .mozbuild / clang / lib / clang / * / lib / windows && pwd)" export LIB=$ LIB: $ CLANG_LIB_DIR ac_add_options --enable-js-shell ac_add_options --enable-jitspew mk_add_options MOZ_OBJDIR=@ TOPSRCDIR @ / obj-ff 72