Mozilla Firefox mChannel Use After Free (Aug 19, 2011)

Mozilla Firefox is a web browser developed by the Mozilla Foundation. Firefox is capable of rendering multiple types of content such as HTML, XML, XUL, JavaScript, and popular media formats among others. Firefox is distributed for all major platforms such as Windows, Apple, and Linux. The Cross Platform Component Object Model (XPCOM) is a component oriented software framework produced by the Mozilla Foundation. It is similar to Microsoft’s Component Object Model (COM). Mozilla’s Gecko layout engine is XPCOM based as is the DOM implementation. XPCOM has many language bindings, and can be accessed via JavaScript. All XPCOM interfaces inherit from the base interface nsISupports, which has the following methods:

 nsrefcnt AddRef(); void QueryInterface( in nsIIDRef uuid, [iid_is(uuid),retval] out nsQIResult result); nsrefcnt Release();

The QueryInterface method is used for type discovery, and performs a type casting function. It returns the interface pointer. An example is shown of obtaining an object implementing the nsIChannelEventSink interface in JavaScript:

 obj.QueryInterface(Components.interfaces.nsIChannelEventSink) 

The nsIChannelEventSink interface is shown to provide the following methods:

 void asyncOnChannelRedirect(in nsIChannel oldChannel,         in nsIChannel newChannel, (Firefox 4+)        in unsigned long flags,        in nsIAsyncVerifyRedirectCallback callback); void onChannelRedirect( in nsIChannel oldChannel,        in nsIChannel newChannel,        in unsigned long flags); 

The function asyncOnChannelRedirect is an asynchronous replacement for onChannelRedirect. These methods are called when a redirect occurs, such as when triggered by a 3xx HTTP status code. The onChannelRedirect method implementation for HTML objects contains a use after free flaw.
In order to exploit this vulnerability, a remote attacker would have to entice the target user to open a crafted web page. Successful exploitation could allow the attacker to execute arbitrary code on the vulnerable system in the security context of the browser. An unsuccessful exploitation attempt could result in the abnormal termination of the browser. Use after free vulnerabilities are generally difficult to exploit successfully for code execution, hence the most likely outcome of an attack attempt would result in a browser crash.

SonicWALL has released the following IPS signature to address this threat:

• 1497 – Mozilla Firefox onChannelRedirect Method Invocation

Additionally, SonicWALL has multiple existing IPS signatures that detect and block suspected heap spray methods which would most likely be used in attacks targeting this type of vulnerability. These signatures serve as a pro active defense against the most popular HTML based attacks.

This vulnerability has been assigned CVE-2011-0065 by mitre.
The vendor has released an advisory addressing this issue.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.