频道栏目
首页 > 安全 > 系统安全 > 正文
Firefox 0day (FBI Used in Child Porn Hunt)
2013-08-22 10:56:00      个评论      
收藏   我要投稿
昨天网上公开了一份关于firefox17版本(20.1)版本的0day 漏洞,该漏洞据传是FBI用于跟踪Tor网络里的用户,调查取证用的。

POC:

精简过的POC

\
(http://krash.in/ffn0day.txt)

Crash Info

 

This exception may be expected and handled.
eax=03992b18 ebx=093424b4 ecx=02e0aa2c edx=00000000 esi=0a256c80 edi=05685148
eip=f33ae938 esp=000b1cbc ebp=000b1cc8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
f33ae938 ??              ???
0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
000b1cb8 02d006a7 03992b18 00000000 000b1ce4 0xf33ae938
000b1cc8 02d5bd49 03992b18 05685148 00000000 xul!nsDocumentViewer::Stop+0x5e [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\layout\base\nsdocumentviewer.cpp @ 1694]
000b1ce4 0314cd0e 093424b4 00000003 00000000 xul!nsDocShell::Stop+0x3e [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\docshell\base\nsdocshell.cpp @ 4631]
000b1cf8 0314cd18 093424b4 000b1d10 02dfb297 xul!nsGlobalWindow::Stop+0x47 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\dom\base\nsglobalwindow.cpp @ 5294] 
000b1d04 02dfb297 057a46c0 000b20c8 02bb7c67 xul!nsGlobalWindow::Stop+0x51 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\dom\base\nsglobalwindow.cpp @ 5295] 
000b1d10 02bb7c67 057a46c0 00000013 00000000 xul!NS_InvokeByIndex_P+0x27 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 71]
*** WARNING: Unable to verify checksum for C:\Program Files\Mozilla Firefox\mozjs.dll
000b20c8 0236d26e 0a255de0 00000000 066029b8 xul!XPC_WN_CallMethod+0x687 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1488]
000b2ac0 0236e143 0964d270 000b2ae8 0a255de0 mozjs!js::mjit::CallCompiler::generateNativeStub+0x3ee [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\methodjit\monoic.cpp @ 1078]
000b2ae0 0237293f 040051e0 056e6228 000b4158 mozjs!js::mjit::ic::NativeCall+0x33 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\methodjit\monoic.cpp @ 1331] 
000b2b30 022a5b41 0a255de0 06602978 07b8c320 mozjs!JaegerThrowpoline+0x2f
000b2b98 0229db7c 06602978 07b8c320 06620000 mozjs!js::mjit::EnterMethodJIT+0xd1 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\methodjit\methodjit.cpp @ 1041]
000b2bec 0229be76 0a255de0 000b2c30 06602978 mozjs!js::RunScript+0x18c [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 343]
000b2ca8 0229c2b3 0a255de0 00000000 06602960 mozjs!js::InvokeKernel+0x276 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 404]
000b2d08 022a59d1 0a255de0 000b2d30 000b2d4c mozjs!js::Invoke+0x153 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 437]
000b2d3c 02bb06d1 0a255de0 0df7a140 0df95500 mozjs!JS_CallFunctionValue+0x41 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsapi.cpp @ 5817]
000b2f9c 02df0db7 07e48cd0 0bbd8540 00000003 xul!nsXPCWrappedJSClass::CallMethod+0x481 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\xpconnect\src\xpcwrappedjsclass.cpp @ 1434]
000b2fc4 02dfb395 0bbd8540 00000003 056bb420 xul!nsXPCWrappedJS::CallMethod+0x47 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\xpconnect\src\xpcwrappedjs.cpp @ 580]
000b3084 02dfb409 08b78120 00000003 000b30ac xul!PrepareAndDispatch+0xfa [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 85]
000b30a0 02b9a93b 08b78120 09f425e0 0c7bb940 xul!SharedStub+0x16 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\reflect\xptcall\src\md\win32\xptcstubs.cpp @ 113]
000b30ec 02b9a74e 07271c90 07d0c800 0c7bb940 xul!nsEventListenerManager::HandleEventInternal+0x1bb [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventlistenermanager.cpp @ 990]

 

漏洞成因:

Iframe html页面加载时,会申请nsDocumentViewer对象,大小0xc8

 

text:02CF6362 ; tag_nsresult __cdecl NS_NewContentViewer(nsIContentViewer **aResult)
.text:02CF6362 ?NS_NewContentViewer@@YA?AW4tag_nsresult@@PAPAVnsIContentViewer@@@Z proc near
.text:02CF6362                                         ; CODE XREF: nsContentDLF::CreateDocument(char const *,nsIChannel *,nsILoadGroup *,nsISupports *,nsID const &,nsIStreamListener * *,nsIContentViewer * *)+68p
.text:02CF6362                                         ; nsContentDLF::CreateInstanceForDocument(nsISupports *,nsIDocument *,char const *,nsIContentViewer * *)+Dp ...
.text:02CF6362
.text:02CF6362 aResult         = dword ptr  4
.text:02CF6362
.text:02CF6362                 push    esi
.text:02CF6363                 push    edi
.text:02CF6364                 mov     edi, 0C8h
.text:02CF6369                 push    edi
.text:02CF636A                 call    ds:__imp__moz_xmalloc
.text:02CF6370                 mov     esi, eax
.text:02CF6372                 xor     eax, eax
.text:02CF6374                 pop     ecx
.text:02CF6375                 cmp     esi, eax
.text:02CF6377                 jz      short loc_2CF638C
.text:02CF6379                 push    edi             ; Size
.text:02CF637A                 push    eax             ; Val
.text:02CF637B                 push    esi             ; Dst
.text:02CF637C                 call    ds:__imp__memset
.text:02CF6382                 add     esp, 0Ch
.text:02CF6385                 mov     eax, esi
.text:02CF6387                 call    ??0nsDocumentViewer@@QAE@XZ ; nsDocumentViewer::nsDocumentViewer(void)

 

nsDocShell::SetupNewViewer 里面会设置唯一引用这个对象@1

 

.text:02CB645E loc_2CB645E:                            ; CODE XREF: nsDocShell::SetupNewViewer(nsIContentViewer *)+394j
.text:02CB645E                 mov     eax, [edi+160h]
.text:02CB6464                 mov     [edi+160h], esi
.text:02CB646A                 test    eax, eax
.text:02CB646C                 jnz     loc_2E619DB

 

\

POC调用addEventListener 增加readystatechange事件回调,当页面发生变化时即会调用 a 函数。

Window.stop

A函数首先调用windows.stop函数

windows.stop触发js
xul!nsGlobalWindow::Stop ==> xul!nsDocShell::Stop ===> xul!nsDocumentViewer::Stop
的调用流程

同时将nsDocumentViewer通过堆栈参数进行传递

 

.text:02D00649 ; tag_nsresult __stdcall nsDocumentViewer__Stop(nsDocumentViewer *this) 
.text:02D00649 ?Stop@nsDocumentViewer@@UAG?AW4tag_nsresult@@XZ proc near
.text:02D00649                                         ; DATA XREF: .rdata:039BCA04o
.text:02D00649
.text:02D00649 shellDeathGrip  = nsCOMPtr ptr  8
.text:02D00649
.text:02D00649                 push    ebp
.text:02D0064A                 mov     ebp, esp
.text:02D0064C                 push    esi
.text:02D0064D                 mov     esi, [ebp+shellDeathGrip.baseclass_0.mRawPtr]
.text:02D00650                 mov     ecx, [esi+28h]
.text:02D00653                 test    ecx, ecx
.text:02D00655                 jz      short loc_2D0065F
.text:02D00657                 mov     eax, [ecx]
.text:02D00659                 call    dword ptr [eax+2E4h]

 

nsDocumentViewer__Stop函数会调用xul!nsHTMLDocument::StopDocumentLoad的调用
里面会触发之前注册的事件回调的调用,堆栈见如下

 

eax=07a42650 ebx=0012a758 ecx=0012a75c edx=0012a744 esi=09125800 edi=06eab880
eip=02b9a780 esp=0012a6a0 ebp=09126800 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
xul!nsEventListenerManager::HandleEventInternal:
02b9a780 55              push    ebp
0:000> kb
ChildEBP RetAddr  Args to Child
0012a69c 02b9a74e 07a42650 09126800 06eab880 xul!nsEventListenerManager::HandleEventInternal [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventlistenermanager.cpp @ 940]
0012a6cc 02b9a4c1 0012a750 06eab800 0012a744 xul!nsEventTargetChainItem::HandleEvent+0xde [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventdispatcher.cpp @ 188]
0012a6f8 02b99e37 09125800 00000000 00000000 xul!nsEventTargetChainItem::HandleEventTargetChain+0xe1 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventdispatcher.cpp @ 315]
0012a794 02b6582c 09125800 09126800 06eab880 xul!nsEventDispatcher::Dispatch+0x247 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventdispatcher.cpp @ 681]
0012a7cc 02c824ab 0012a848 02b53f3a 09125800 xul!nsEventDispatcher::DispatchDOMEvent+0x6c [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\events\src\nseventdispatcher.cpp @ 739]
0012a818 02b754ba 09125800 06eac160 02c82578 xul!GetEventAndTarget+0x11b [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nscontentutils.cpp @ 3471]
0012a890 02cd52d8 00000003 02cd5392 00000001 xul!nsAString_internal::Assign+0x1aa [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\string\src\nstsubstring.cpp @ 386]
0012a898 02cd5392 00000001 09146f14 00000000 xul!nsContentSink::DidBuildModelImpl+0x11 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nscontentsink.cpp @ 1454]
0012a8b0 0314513c 0406e370 00000001 05685148 xul!nsHtml5TreeOpExecutor::DidBuildModel+0x6f [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\parser\html\nshtml5treeopexecutor.cpp @ 146]
0012a8d0 02e490db 0406e300 0ae703d0 02d0065f xul!nsHtml5Parser::Terminate+0x56 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\parser\html\nshtml5parser.cpp @ 493]
0012a8e8 02d5bd49 0ae703d0 05685148 00000000 xul!nsHTMLDocument::StopDocumentLoad+0x18b87d [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 871]
0012a904 0314cd0e 08d638b4 00000003 00000000 xul!nsDocShell::Stop+0x3e [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\docshell\base\nsdocshell.cpp @ 4631]
0012a918 0314cd18 08d638b4 0012a930 02dfb297 xul!nsGlobalWindow::Stop+0x47 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\dom\base\nsglobalwindow.cpp @ 5294] 
0012a924 02dfb297 0ad4d020 0012acec 02bb7c67 xul!nsGlobalWindow::Stop+0x51 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\dom\base\nsglobalwindow.cpp @ 5295] 
0012a930 02bb7c67 0ad4d020 00000013 00000000 xul!NS_InvokeByIndex_P+0x27 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\xpcom\reflect\xptcall\src\md\win32\xptcinvoke.cpp @ 71]
0012acec 0229bc6a 0ae6eb70 00000000 066f0168 xul!XPC_WN_CallMethod+0x687 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1488]
0012ada8 0228e18c 0ae6eb70 00000000 066f0178 mozjs!js::InvokeKernel+0x6a [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 389]
0012b7d0 0229da89 066f0128 00000000 0ae6eb70 mozjs!js::Interpret+0x95c [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 2366]
0012b81c 0229be76 0ae6eb70 0012b860 066f0128 mozjs!js::RunScript+0x99 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 346]
0012b8d8 0229c2b3 0ae6eb70 00000000 066f0110 mozjs!js::InvokeKernel+0x276 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\js\src\jsinterp.cpp @ 404]

 

此时进入一个死循环,不停的调用windows.stop 然后又触发事件注册回调,导致堆栈被耗尽,同时之前申请的nsDocumentViewer一直通过堆栈进行传递

0:000> s -d 0×0 l?0×7fffffff 0a984280 //搜索对这个nsDocumentViewer的引用
000b00e8 0a984280 00000002 00000000 03982b00 .B………..+..
000b024c 0a984280 0a06d2e0 00000001 00000008 .B…………..
000b1cbc 0a984280 02d0065f 00000000 000b1ce4 .B.._……….. //nsDocumentViewer
000b1cd0 0a984280 05685148 00000000 00000000 .B..HQh………
000b332c 0a984280 02d0065f 00000000 000b3354 .B.._…….T3..
000b3340 0a984280 05685148 00000000 00000000 .B..HQh………
000b499c 0a984280 02d0065f 00000000 000b49c4 .B.._……..I..
000b49b0 0a984280 05685148 00000000 00000000 .B..HQh………
……

ownerDocument.write

耗尽后js会终止这个循环执行,开始调用下一条write js语句

 

var z="<img src='nonexistant.html'>";
 
window.parent.frames[0].frameElement.ownerDocument.write(z);

 

这条js语句触发xul!nsHTMLDocument::WriteCommon操作,将之前申请的nsDocumentViewer对象进行销毁,去除引用(见@1)

 

Breakpoint 5 hit
eax=0a984280 ebx=08ab88b8 ecx=08c13a30 edx=02dea6e0 esi=0a150cac edi=00000000
eip=02cd69b6 esp=000b0250 ebp=000b0260 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
xul!nsDocShell::Destroy+0x15f:
02cd69b6 3bc7            cmp     eax,edi
0:000> kb
ChildEBP RetAddr  Args to Child
000b0260 02d456c4 0a150cac 08ab88b8 07eca2bc xul!nsDocShell::Destroy+0x15f [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\docshell\base\nsdocshell.cpp @ 4932]
000b0270 02b81b0c 08c37f80 00000000 000b0294 xul!nsFrameLoader::Finalize+0x28 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nsframeloader.cpp @ 582]
000b0294 02b82144 07eca1ac 094793d0 07eca000 xul!nsDocument::MaybeInitializeFinalizeFrameLoaders+0xec [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nsdocument.cpp @ 5820]
000b02bc 02c305bd 040051f4 00000000 07eca000 xul!nsHTMLDocument::EndUpdate+0x84 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 2510]
000b0354 02cb1403 094793d0 0a10e600 07226c40 xul!nsDocument::ResetToURI+0xfd [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nsdocument.cpp @ 1963]
000b037c 02cd5d97 094793d0 0a10e600 07226c40 xul!nsHTMLDocument::ResetToURI+0x20 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 287]
000b03b0 02cfa13e 094793d0 0a10e600 000b0674 xul!nsDocument::Reset+0x67 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\base\src\nsdocument.cpp @ 1903]
000b03c4 03619ede 0a985b0c 0a10e600 07eca000 xul!nsHTMLDocument::Reset+0x12 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 274]
000b063c 03706636 07eca000 000b0698 0a1437e0 xul!nsHTMLDocument::Open+0x6c0 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 1646]
000b067c 02f16571 07eca37c 000b06b8 03c75a44 xul!nsHTMLDocument::Open+0xa0 [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 1381]
000b06dc 02cd2b3f 0a1437e0 000b0760 00000000 xul!nsHTMLDocument::WriteCommon+0x243bbc [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 1851]
000b0710 02b310df 07eca000 0a1437e0 00000000 xul!nsHTMLDocument::WriteCommon+0x2b [e:\builds\moz2_slave\rel-m-rel-w32_bld-000000000000\build\content\html\document\src\nshtmldocument.cpp @ 1785]

 

并且调用nsDocumentViewer::~nsDocumentViewer销毁对象
调用xul!PresShell::Release 销毁PreShell对象

之后 xul!nsHTMLDocument::StopDocumentLoad 函数开始返回

 

0:000> ba r 1 000b1cbc
0:000> g
Breakpoint 7 hit
eax=08231400 ebx=08ab88b4 ecx=0000005a edx=00000000 esi=0a984280 edi=05685148
eip=02cbd889 esp=000b1cc0 ebp=000b1cc8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
xul!nsHTMLDocument::StopDocumentLoad+0x2b:
02cbd889 c3              ret
0:000> dd 000b1cbc
000b1cbc  0a984280 02d0065f 00000000 000b1ce4   //此处为之前的nsDocumentViewer对象,此时该处漏洞已经被释放或者被其他对象占位,调试中总是被xul!nsFileChannel::`vftable'占位,这个对象刚好也是0xc8大小
000b1ccc  02d5bd49 0a984280 05685148 00000000
000b1cdc  00000000 03a6edf0 000b1cf8 0314cd0e
000b1cec  08ab88b4 00000003 00000000 000b1d04
000b1cfc  0314cd18 08ab88b4 000b1d10 02dfb297
000b1d0c  0adcfb80 000b20c8 02bb7c67 0adcfb80
000b1d1c  00000013 00000000 000b1db0 00000004
000b1d2c  000b2ae8 06f96a00 00000000 00000000

 

函数返回到xul!nsDocumentViewer::Stop函数 这里会调用xul!nsDocumentViewer的分发函数,导致EIP被控制

0:000> p
eax=08231400 ebx=08ab88b4 ecx=0000005a edx=00000000 esi=41414141 edi=05685148
eip=02d0065f esp=000b1cc4 ebp=000b1cc8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
xul!nsDocumentViewer::Stop+0×16:
02d0065f 80bec700000000 cmp byte ptr +0xc6 (000000c7)[esi],0 ds:0023:41414208=??

Patch

http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae

通过对readyState 事件加入限制,同时nsDocShell.cpp里面增加对mContentViewer的引用,每调用一次增加一次引用

\

Test
Too much recursion

\

\

Sample poc
这样的也可以触发

\

Ps:
1 一开始比较奇怪为啥crash时的堆栈回溯函数断不下来 最终发现是以及在这个函数里面了,只缘身在此山中
2 寻找对象引用直接搜索内存即可,可以在对象申请、销毁前后进行比对引用,下断点
3 thks binjo

Ref

http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/

http://pastebin.mozilla.org/2777139

http://www.mozilla.org/security/announce/2013/mfsa2013-53.html

http://krash.in/ffn0day.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690

http://hg.mozilla.org/releases/mozilla-esr17/pushloghtml?startdate=2013-05-05&enddate=2013-05-17

https://www.evernote.com/shard/s258/sh/1b8d8264-c94f-449d-866e-023d3a87cded/86fc1d67e2aa8cb0211c467c7a75e26c?noteKey=86fc1d67e2aa8cb0211c467c7a75e26c&noteGuid=1b8d8264-c94f-449d-866e-023d3a87cded


点击复制链接 与好友分享!回本站首页
相关TAG标签
上一篇:CVE-2013-0912利用学习
下一篇:提取windows用户明文密码
相关文章
图文推荐
点击排行

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站