New heap spray vulnerability- does NoScript protect?

General discussion about the NoScript extension for Firefox
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

New heap spray vulnerability- does NoScript protect?

Post by luntrus » Tue Jul 14, 2009 8:15 pm

Hi users of the NoScript extension for Fx,

The renewed Milw0rm site to-day published a new heap spray hole for Firefox 3.5 enabling attackers to get complete control over the browser via a buffer overflow through memory corruption caused by an error in handling "font" HTML tags The vulnerability has not been patched yet, F-Secure free beta Exploit Shield protects against this vulnerability: http://www.f-secure.com/en_EMEA/support ... -programs/
Does NoScript protect us for this spraying of the heap? Can we get confirmation of this protection?
http://www.web2secure.com/2009/07/mozil ... spray.html
The vulnerability is caused due to an error when processing JavaScript code handling, if that is so I think I do know the answer to the above question, and I guess the answer will be affirmative - Yes, NoScript protects here. Am I right?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090713 Shiretoko/3.5.1pre

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Tue Jul 14, 2009 8:19 pm

If this is the same vulnerability, Mozilla Firefox Memory Corruption Vulnerability, then someone posted, yes, NoScript protects.

I looked here, http://hackademix.net/, but saw nothing mentioned.

Looks like it is the same.

SeaMonkey 1.1.17 seems unaffected (with NoScript).

SeaMonkey 2 seem unaffect with NoScript & file:// NOT Allowed.

SeaMonkey 2 brings up an Unresponsive Script warning with NoScript & file:// Allowed.
Stopping the script at that point does just that. Hitting Continue looks to loop back to the Unresponsive Script warrning.

Quite an old build, Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 SeaMonkey/2.0b1pre, so you would think it to be vulnerable.

Lets disable NoScript & see ...

Same results, Unresponsive Script warning.

The quoted section is wrong. See below...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

User avatar
Giorgio Maone
Site Admin
Posts: 8829
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: New heap spray vulnerability- does NoScript protect?

Post by Giorgio Maone » Tue Jul 14, 2009 8:44 pm

Yes it does.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Tue Jul 14, 2009 8:48 pm

I may have made the POC incorrectly as I can't force a crash?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

User avatar
Giorgio Maone
Site Admin
Posts: 8829
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: New heap spray vulnerability- does NoScript protect?

Post by Giorgio Maone » Tue Jul 14, 2009 8:59 pm

@therube
Have you got JIT disabled?
Setting the javascript.options.jit.content about:config preference to false mitigates this bug, since it is a TraceMonkey vulnerability.
Firefox 3.0.x/Seamonkey 1.1.x and below are unaffected because they've got no JIT compiler.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Tue Jul 14, 2009 9:07 pm

True (on both counts).
No JIT in SeaMonkey 1.1.17, thats a given.
And javascript.options.jit.content is set to True.

I'll have to try to redo my POC later.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: New heap spray vulnerability- does NoScript protect?

Post by luntrus » Tue Jul 14, 2009 11:00 pm

Hi therube,

If you will do so, then NoScript will work like a charm, successfully detecting the PoC’s attempt to access file://,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090714 Shiretoko/3.5.1pre

Jim Too
Senior Member
Posts: 58
Joined: Mon Mar 23, 2009 4:30 pm

Re: New heap spray vulnerability- does NoScript protect?

Post by Jim Too » Tue Jul 14, 2009 11:14 pm

Does NoScript protect because it prevents the JavaScript from running (site not allowed) or does it prevent a bad script from an allowed site from performing the buffer overflow? In other words if a site I "allow" has let me down and allowed bad scripts to be installed on the site will NoScript guard against the bad script?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Wed Jul 15, 2009 12:36 am

The former.
If a site you Allow has let you down (assuming the exploit code is hosted on that site & not at some other domain), well, you will be let down.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Wed Jul 15, 2009 12:42 am

I don't know what I did earlier, but surely messed up the POC.

Just redid it & now I'm crashing like good little browser should.

NoScript blocks the exploit, because it relies on JavaScript. Just as simple as that.

Allowing file:// in NoScript & you crash.
(file:// because my POC happens to be local, on my computer.)

Toggling the Preference item, javascript.options.jit.content, from true to false will block the exploit in the interim.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: New heap spray vulnerability- does NoScript protect?

Post by luntrus » Thu Jul 16, 2009 12:15 am

Hi therube,

The work-around for this will negatively influence the performance of the fx browser, so working NoScript is the better and more natural option for us until this is fixed, at least that is my two cents.
"The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of the problem is a buffer overflow when processing specially prepared Font tags."
http://www.h-online.com/security/First- ... ews/113761
Is this vulnerability a platform independant or a windows-specific firefox bug?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Iron/3.0.189.0 Safari/531.0

User avatar
therube
Ambassador
Posts: 7598
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: New heap spray vulnerability- does NoScript protect?

Post by therube » Thu Jul 16, 2009 12:45 am

The work-around for this will negatively influence the performance of the fx browser

Bullhockey. Yes what you say is true. Would you have noticed the difference though? Perhaps if you were looking for it?
(I didn't check, but my feeling is, you would never know if it were set one way or the other.)

The exploit demonstrates a security vulnerability by starting the Windows calculator.

That may depend on your OS revision level. (Posted elsewhere) it said XP SP2, calc opened. XP SP3, the browser just crashed (which is what I observed).

Is this vulnerability a platform independant or a windows-specific firefox bug?

Not sure?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090705 SeaMonkey/2.0b1pre

zombiez
Posts: 1
Joined: Thu Jul 16, 2009 1:53 am

Re: New heap spray vulnerability- does NoScript protect?

Post by zombiez » Thu Jul 16, 2009 1:57 am

I used Ollydbg to attache the process but failed to trigger the exploit .Everytime I did such work ,I can only see the collapse of Firefox.The only way could I trigger the shellcode is in such kind of method.First , open a firefox.Second, open Ollydbg and open an excutable firefox process,run it.Third it will present a new windows and the ollydbg stops at address 7c92e54 .Forth, open the Html ,trigger the shellcode but the Ollydbg can show nothing.......Windbg the same......I wonder if you can tell how to deal with it.
Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1) Gecko/20090624 Firefox/3.5

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: New heap spray vulnerability- does NoScript protect?

Post by Alan Baxter » Thu Jul 16, 2009 4:29 am

luntrus wrote:The work-around for this will negatively influence the performance of the fx browser, so working NoScript is the better and more natural option for us until this is fixed, at least that is my two cents.

I disagree. The exploit is completely avoided by disabling JIT, i.e. JIT has a known, exploited vulnerability and should not be used until it's fixed. This is what's recommend by the Mozilla security team: Critical JavaScript vulnerability in Firefox 3.5. Disabling JIT is "the better and more natural option for us until this is fixed". The vulnerability has already been fixed in the development builds for the next release, Fx 3.5.1, which I hope will be released soon. https://bugzilla.mozilla.org/show_bug.cgi?id=503286#c57

I've disabled JIT according to Mozilla's recommendation by setting the javascript.options.jit.content pref to false. I haven't noticed any performance degradation. But even if I did, I wouldn't want to use a browser that's "twice as fast" when the price is a known, exploited vulnerability. I'm certain the developers wouldn't consider that a reasonable trade-off either. YMMV.

NoScript won't help you if one of your trusted sites has been hacked. Why take a chance when we have a rock-solid workaround? Just turn off JIT until the vulnerability is fixed. BTW, javascript.options.jit.chrome needs to be set to false too, but that's the default value.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: New heap spray vulnerability- does NoScript protect?

Post by Grumpy Old Lady » Thu Jul 16, 2009 7:00 am

Content deleted.
Off topic.
Last edited by Grumpy Old Lady on Tue Oct 20, 2009 8:23 am, edited 2 times in total.
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11

Post Reply