milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)

shaver

16

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.

Details

On Windows, Firefox 3.0.x and Firefox 3.5.x are terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code.

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.

On Linux, the problem is similar to that on Mac: there is an abort in system libraries (pango, glib, libc). Due to the wide variation of Linux libraries and versions deployed, and different compilation options chosen by Linux distributors for Firefox, the details of the crash report may vary between machines.

As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.

[Updated (July 19, 8:50pm EDT): thanks to Larry Seltzer for bringing to our attention that Firefox 3.5.x will indeed still crash using the provided PoC on Windows, at least for some users.]

[Updated (July 20, 8:50am EDT): the SecurityFocus report has been updated to indicate that it is only a denial of service issue. This is consistent with our analysis; thanks to SecurityFocus for correcting their error.]

[Updated (July 20, 9:15am EDT): added results for Linux, thanks to Kevin Brosnan.]

Mike Shaver
VP Engineering, Mozilla Corporation

16 responses

  1. Larry Seltzer wrote on ::

    >> In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result.

    I definitely saw my own Firefox crash on Vista SP2.

    Details:
    Add-ons: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10,{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,jsdeobfuscator@adblockplus.org:1.5.4,longurlplease@darragh.curran:0.4.1,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1
    BuildID: 20090715094852
    CrashTime: 1248047349
    Email: larry@larryseltzer.com
    InstallTime: 1247790894
    ProductName: Firefox
    SecondsSinceLastCrash: 33800
    StartupTime: 1248013565
    Theme: abstractPCNightly
    Throttleable: 1
    URL: http://web1.rs.ziffdavisinternet.com/cgi-bin/mt/mt.cgi?__mode=list_comment&blog_id=36
    Vendor: Mozilla
    Version: 3.5.1

    This report also contains technical information about the state of the application when it crashed.

  2. Eddy Nigg wrote on ::

    What about Linux?

  3. shaver wrote on ::

    Larry: that is very interesting! could you test in safe mode, and see if it still crashes? also, did you submit that via the Mozilla Crash Reporter? if so, please mail me the entry ID from about:crashes (I’m shaver@mozilla.com) — thanks!

    Eddy: would depend on the details of the Linux in question, likely: which specific GTK/X/etc. versions were in place, oom-killer policy, who knows what else. Recommend that vendors test with the configurations they ship (virtually always different from ours) to see what the effects are.

  4. Epicanis wrote on ::

    How does it behave on Linux?

  5. sfd wrote on :

    Thanks for the clarification.

  6. Adam M. wrote on :

    On Debian with GNOME, firefox 3.0.9 doesn’t crash. It just stops responding normally, using 100% CPU and keeps allocating memory. Then it gets killed by OOM (Out of Memory) kernel killer.

    Upon restart, the session is restored and it reloads the sample exploit. It is possible to close the page in question prior to OOM condition.

  7. cat wrote on :

    This post is about this > http://www.malwarebytes.org/forums/index.php?showtopic=19644 right?

    Could you please clarify if it is safe to enable JavaScript in FF 3.5.1? I read your post and decided it was, until I read the edit re FF crashing on PoC on Windows and now I’m confused. (The edit and the details of Larry Seltzer’s comment go way above my head, so I just want to be sure).

    Thanks. :)

  8. buzza wrote on :

    yes nice to know that mozilla is kind enough to test firefox ON linux (NOT). Yet another reason why i can’t wait for chrome to become better.

  9. Freezer wrote on :

    Oh please! It doesn’t convince me. I’m a layman and a diehard firefox user and i would expect you to fix it instead of saying it isn’t malicious. Please fix it because i like FF so much.

  10. Daniel Veditz wrote on :

    We’re saying it isn’t malicious because press reports are spreading incorrect information and scaring people.

  11. Larry Seltzer wrote on ::

    I’ve followed up on this on Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=504342)

  12. Transcontinental wrote on :

    I’m not saying this is, but I assume it could be now or it may be one day: as the browsers’ war is becoming tougher, as Firefox is gaining more and more users as popularity, assertions of insecurity will rise based on the slightest cough. This is still our world: do it, should it be by all means.
    Firefox has always been and remains the leader in terms of security and privacy, patches are issued quickly, but let not the fact of transparency blind us to an insecurity which would not be the case of other browsers’ because of opacity in publication of flaws.
    I remain puzzled to observe how some bloggers shoot – or try to shoot – a browser on the first opportunity they have. Future is that of fairness and fraternity, also because common problems concern all, browsers included.
    I remain A Firefox user, not only for the browser I experiment 16 hours a day as secure, fast, stable, but also as an admirer of the Mozilla philosophy.

  13. Michael Lefevre wrote on ::

    @Freezer: I’m sure they are not saying it isn’t malicious instead of fixing it. They are saying it isn’t malicious as well as fixing it (but I guess that will happen in one of the future regular updates, rather than having a special release just to fix this).

    It’s an unfortunate fact that there are dozens of ways for web pages to crash or hang Firefox. The same applies to all other browsers. Which is why IE, Chrome, and in future Firefox, are putting different pages in different processes, so you only lose the one that has crashed.

  14. cat wrote on :

    I’ve read this post and the update to Security First. I’ve also read this article: http://www.theregister.co.uk/2009/07/20/firefox_flaw/

    This paragraph concerns me:

    “Reports by security researchers at the Internet Storm Centre (here) and elsewhere suggest the flaw might lend itself to code injection. Worse still, proof of concept code has been published; a development that normally reduces the odds on whether hacking attacks might follow.”

    To me (a lay person) this reads that it is a vulnerability and it is only a matter of time before this could become a security risk. Correct me if my interpretation is wrong. I would hope that Mozilla issues a priority patch asap in view of this. It is the swift correcting of actual and potential security issues that makes FF my preferred browser.

  15. mercohaulic wrote on :

    Anyone know about this:
    http://www.securityfocus.com/advisories/17380

    States that Mozilla Firefox has multiple vulnerabilities not found in versions 3.5 and 3.0.12.
    So Im guessing that the others are and we should patch them to either of these versions?

  16. Adam wrote on :

    http://milw0rm.com/exploits/9247

    The above link contains the full POC code for an exploit based on Firefox 3.5

    I am not happy that Mozilla have brushed this one off as it is a *serious* vulnerability and I a not aware of any patches being released.