module
Firefox 8/9 AttributeChildRemoved() Use-After-Free
| Disclosed | Created |
|---|---|
| 2011-12-06 | 2018-05-30 |
Disclosed
2011-12-06
Created
2018-05-30
Description
This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1.
Removal of child nodes from the nsDOMAttribute can allow for a child
to still be accessible after removal due to a premature notification
of AttributeChildRemoved. Since mFirstChild is not set to NULL until
after this call is made, this means the removed child will be accessible
after it has been removed. By carefully manipulating the memory layout,
this can lead to arbitrary code execution.
Removal of child nodes from the nsDOMAttribute can allow for a child
to still be accessible after removal due to a premature notification
of AttributeChildRemoved. Since mFirstChild is not set to NULL until
after this call is made, this means the removed child will be accessible
after it has been removed. By carefully manipulating the memory layout,
this can lead to arbitrary code execution.
Authors
regenrecht
Lincoln lincoln@corelan.be
corelanc0d3r peter.ve@corelan.be
Lincoln lincoln@corelan.be
corelanc0d3r peter.ve@corelan.be
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.