This is a full browser compromise exploit chain (CVE –******************************** – & CVE – – (targeting Firefox on Windows) – bit. It uses CVE – 9810 – for getting code execution in both the content process as well as the parent process and CVE – 27034 – 481768 to trick the parent process into browsing to an arbitrary URL .
I have covered CVE – – ‘s root-cause and exploitation in the past inA journey into IonMonkey: root-causing CVE – –article and in the associatedgithub repository.
CVE – – 481768 has been fixed by the bulletin (mfsa) – and
was and was assigned (Bug) **********************************************************in the Mozilla bug tracker. Here is the summary of the issue:
Insufficient vetting of parameters passed with the Prompt: Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.
You can find the commit addressing the issue here:Clean up prompt open calls in Prompter.jsm.
**********************************
A full-write up of the issue as well as the techniques used in the exploit will be described in an upcoming article ondoar-e.github.io.
To build the payload, you just have to runnmake
from a VS (x) prompt.
CVE - 2019 - payload>nmake Microsoft (R) Program Maintenance Utility Version 16. . (**********************************************************. 0 Copyright (C) Microsoft Corporation. All rights reserved. taskkill / f / im payload.exe ERROR: The process "payload.exe" not found. if not exist. bin mkdir bin python src genheaders.py sprites cl / O1 / nologo / ZI / W3 / D_AMD _ / DWIN_X / sdl /Febinpayload.exe src payload.cc / link / nologo / debug: full user 45 .lib payload.cc del * .obj * .pdb * .idb if exist. bin del bin *. exp bin *. ilk bin *. lib start. bin payload.exe
This creates apayload.exe
/
payload.pdb
file inside the payload bindirectory.
(****************************************************Building Firefox
I wrote this exploit against a local Windows build synchronized to the following revision id: (2abb) ************************************************************ ad
******************************************************** (b7c) ******************************************************** (cf) ********************************************************************** (b2c) ********************************************************************** b2d:
$ hg --debug id -i 2abb (ad) ******************************************************** (b7c) ****************************************************** (cf) *********************************************************************** (b2c) ****************************************************************** b2d
And I have used the following mozconfigfile:
"$ topsrcdir / browser / config / mozconfigs / win / common-win 72 ac_add_options --disable-crashreporter ac_add_options --enable-debug-symbols . "$ topsrcdir / build / mozconfig.clang-cl" . "$ topsrcdir / build / mozconfig.lld-link" # Use the clang version in .mozbuild CLANG_LIB_DIR="$ (cd ~ / .mozbuild / clang / lib / clang / * / lib / windows && pwd)" export LIB=$ LIB: $ CLANG_LIB_DIR ac_add_options --enable-js-shell ac_add_options --enable-jitspew mk_add_options MOZ_OBJDIR=@ TOPSRCDIR @ / obj-ff 72
********************** (Read More) ********************************************** ()
GIPHY App Key not set. Please check settings