CVE-2019-11707: IonMonkey Type Confusion in Array.Pop

Posted by Samuel Groß, Project Zero (2020-07-27)

Disclosure or Patch Date: 18 June 2019
Product: Mozilla Firefox
Affected Versions: Firefox 67.0.2, likely earlier versions
First Patched Version: Firefox 67.0.3 and Firefox ESR 60.7.1
Bug-Introducing CL: Unknown
Access to the exploit sample? Yes, provided by Coinbase Security
Reporter(s): Independently, Samuel Groß of Google Project Zero and Coinbase Security

Bug Class: Incorrect Speculation Guards in JIT
Vulnerability Details:
In essence, the JIT failed to ensure that calling Array.prototype.pop would not end up loading an array element from a prototype of the array. This could then be exploited in different ways:
  1. By storing elements of type T1 in the array and of type T2 in the array’s prototype. In that case, Spidermonkey would assume that the call to pop() would result in a value of type T1, while at runtime it would result in a value of type T2, thus causing a type confusion. This is how Fuzzilli triggered the bug.
  2. By installing indexed accessors on the prototype. Spidermonkey would assume that the call to pop() would be side-effect free, which will then not be the case. The result is a classic incorrect side-effect modelling bug, similar to for example CVE-2019-9810 or CVE-2018-17463. This is how the bug was exploited in-the-wild.

Is the exploit method known? Yes
Exploit method: Compiler bug to runtime out-of-bounds array access to type confusion to arbitrary read/write. Similar to other exploits for this type of bug.

How do you think you would have found this bug? 
This bug was independently found through fuzzing with Fuzzilli. However, as it is a variant of a popular bug pattern in JIT compilers, it is at least equally likely that it was discovered through manual code analysis.

(Historical/present/future) context of bug: 
Incorrect side-effect modelling bugs in JIT compilers date back at least to early 2018, likely even earlier. They have been found multiple times in all popular engines such as JavaScriptCore, V8, and Spidermonkey. In 2019, before this bug was exploited in-the-wild, another incorrect side effect modelling bug (CVE-2019-9810) was used against Firefox at pwn2own.

This vulnerability was chained with CVE-2019-11708, a Firefox sandbox escape according to Coinbase.

According to Objective-See, macOS already included a signature in XProtect that could detect the malware dropped by the exploit. The signature was added by Apple in 2016 without any public disclosure.

Areas/approach for variant analysis: Auditing side-effect modelling in JIT Compilers
Found variants: 
Apart from many earlier variants, Spidermonkey suffered from a similar bug that was fixed in early 2020: CVE-2019-17026 and v8 also fixed a similar vulnerability in early 2020: CVE-2020-6418

Structural improvements:
One possibility is to help fuzzers detect these kinds of bugs by adding instrumentation that ensures no side-effects happen during execution of operations for which the JIT assumes no side-effects. Mozilla implemented a simple version of this with https://github.com/mozilla/gecko-dev/commit/4ca7a9d3ee9c7fe0d432bd3d3e251238a6f71721 which found a non-security variant of this bug pattern: https://bugzilla.mozilla.org/show_bug.cgi?id=1607670

Potential detection methods for similar 0-days: 
N/A - Likely hard to detect generically

Other references: 
  • June 2019: Twitter thread by Philip Martin of Coinbase Security about detecting the exploit
  • June 2019: Blogpost on the macOS malware dropped by the exploit by Objective-See
  • June 2019: Twitter thread by Samuel Groß on the ITW exploit

No comments:

Post a Comment