Contestants at this year’s Pwn2Own contest made no bones about it: they were going after browsers and as it turned out, Firefox had the biggest target on its back.
Mozilla’s popular browser was popped four times during the Canadian hacker festival accounting for a quarter of the $800,000-plus in prize money handed out over the course of two days.
Controversial vulnerability and exploit vendors VUPEN won six Pwn2Own cash prizes, including a zero-day in Firefox, details of which it shared yesterday. Founder Chaouki Bekrar told Threatpost in March that VUPEN researchers ran more than 60 million test cases through a fuzzer before they were able to find a memory corruption issue leading to an exploitable use-after-free condition in Firefox.
“This flaw was not easy to find and exploit because it required the browser to be in a specific memory state to reach the vulnerable code branch, this state is called by Mozilla: ‘memory-pressure,” VUPEN said in a statement yesterday.
Mozilla patched the four Firefox zero-day vulnerabilities within a week of their disclosure to the vendor during Pwn2Own. The VUPEN zero day was found in Firefox 27 running on a fully patched Windows 8.1 computer.
VUPEN’s exploit code triggering the use-after-free condition first attacks the Spray function in order to consume memory resources, which triggers the Pressure function, consume additional resources.
“As the ‘Pressure()’ function is recursive, the ‘spray()’ function will be called many times. Each heap spray operation performed by this function is saved into the tab array,” VUPEN researchers said. “After a few seconds, Firefox will run out of memory and enters into a specific state named ‘memory pressure’ or ‘low memory’ which is automatically activated to protect the browser from intensive memory use.”
Once activated, VUPEN said it was able to delete a freed “BumpChunk” object which eventually leads to an exploitable crash of the browser.
“In order to exploit this vulnerability an attacker needs first to take control of the freed object,” VUPEN said. “To replace the content of the freed object with attacker-controlled data, multiple elements having the same size as the vulnerable object must be created. This can be achieved by spraying ArrayBuffers of 0x2000 bytes.”
From there, they were able to cause a memory leak and a buffer overflow of the EIP register, and ultimately bypass Address Space Layout Randomization and Data Execution Protection memory safeguards native to Windows in order to execute code on the underlying system.
Details on the remaining Firefox zero-days brought to Pwn2Own have yet to be released. Notable iPhone and PlayStation jailbreak hacker George “geohot” Hotz scored $50,000 for his hack of Firefox in which he also found a memory issue causing an exploitable crash and code execution.
Researcher Juri Aedla, a frequent Google bug-hunter, also found a zero-day code execution bug in the browser. Mozilla said in its advisory at the time that: “TypedArrayObject does not handle the case where ArrayBuffer objects are neutered, setting their length to zero while still in use. This leads to out-of-bounds reads and writes into the JavaScript heap, allowing for arbitrary code execution.”
Polish researcher Mariusz Mlynski was the fourth Pwn2Own contestant to topple Firefox. He combined two vulnerabilities to gain privilege escalation.
“Combined these two bugs allow an attacker to load a JavaScript URL that is executed with the full privileges of the browser, which allows arbitrary code execution,” Mozilla said in its advisory.