module
Firefox MCallGetProperty Write Side Effects Use After Free Exploit
| Disclosed | Created |
|---|---|
| 2020-11-18 | 2022-03-01 |
Disclosed
2020-11-18
Created
2022-03-01
Description
This modules exploits CVE-2020-26950, a use after free exploit in Firefox.
The MCallGetProperty opcode can be emitted with unmet assumptions resulting
in an exploitable use-after-free condition.
This exploit uses a somewhat novel technique of spraying ArgumentsData
structures in order to construct primitives. The shellcode is forced into
executable memory via the JIT compiler, and executed by writing to the JIT
region pointer.
This exploit does not contain a sandbox escape, so firefox must be run
with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order
for the shellcode to run successfully.
This vulnerability affects Firefox Thunderbird Additional work may be needed to support other versions such as Firefox 82.0.1.
The MCallGetProperty opcode can be emitted with unmet assumptions resulting
in an exploitable use-after-free condition.
This exploit uses a somewhat novel technique of spraying ArgumentsData
structures in order to construct primitives. The shellcode is forced into
executable memory via the JIT compiler, and executed by writing to the JIT
region pointer.
This exploit does not contain a sandbox escape, so firefox must be run
with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order
for the shellcode to run successfully.
This vulnerability affects Firefox Thunderbird Additional work may be needed to support other versions such as Firefox 82.0.1.
Authors
360 ESG Vulnerability Research Institute
maxpl0it
timwr
maxpl0it
timwr
Platform
Linux,Windows
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.