There's a bunch of misinformation about the new Firefox exploit so I'd like to clear a few things up. https://twitter.com/movrcx/status/803744059022069760 …
-
-
First off, it's a garden variety use-after-free, not a heap overflow, and it affects the SVG parser Firefox.
-
MWR published research in this area years ago in WebKit, and it appears that Firefox is lagging a few years behind. https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-webkit-exploit/ …
-
As far as exploit techniques, this is a routine UAF that heap sprays a controlled object to kick off a ROP chain. Pwn2Own 2012-level tech.
-
The controlled object eventually gives them RW access to memory, then its game over.
-
This is not an advanced exploit. If you want to see one of those, check out Pegasus which had to deal with code signing and JIT pages.
-
This type of exploit is much harder to write in Chrome and Edge due to memory partitioning, an exploit mitigation that Firefox lacks.
-
If you thought this exploit was from MSF, it's not. MSF has 8 Firefox exploits, none of them match this new one.
-
The version regex in the exploit matches Firefox 49, and the specific user-agent that the Tor Browser Bundle uses.pic.twitter.com/OjMf6T4JHA
-
The vulnerability is present on macOS, but the exploit does not include support for targeting any operating system but Windows.
-
If you were wondering, Mozilla is aware of the bug and has an open issue to track it. http://hg.mozilla.org/mozilla-central/rev/adcc39e3cad0 …
-
It's not possible to determine the origin of the bug -- fuzzer or manual analysis. IMHO the author developed the exploit from scratch.
-
The shellcode is fairly simple. It calls back to 5.39.27.226 (check your logs). Again, nothing outrageous here.
-
Final thoughts: the Tor Browser Bundle is unable to protect those that need it most. If you rely on it, strongly reconsider your choices.
-
Consider the difficulty of running a Tor exit node that injects this exploit into every HTTP session. ¯\_(ツ)_/¯
-
The story here is that there is no story. Software is buggy, 0days exist. Stop obsessing over single vulnerabilities. It's 2016, move fwd.
-
This is unlikely to work. All past info says LE exploits only run for very specific logged in users. https://twitter.com/csoghoian/status/803958781948338176 …
This Tweet is unavailable.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.