French security research company Vupen has published the details of the use-after-free vulnerability its team exploited at Pwn2Own 2014 to hack Mozilla Firefox.
At Pwn2Own 2014, the hacking contest that takes place alongside the CanSecWest security conference, Vupen earned a total of $400,000 for demonstrating their exploits against Firefox, Internet Explorer, Google Chrome, Adobe Reader and Adobe Flash. A total of 11 zero-day exploits were used.
On Tuesday, Vupen researchers made available the details of CVE-2014-1512 (MFSA2014-30), the use-after-free vulnerability they leveraged to crack Firefox. It’s worth noting that Mozilla addressed the issue on March 18, shortly after Pwn2Own ended, with the release of Firefox 28.
Vupen highlighted the fact that it wasn’t easy to exploit this use-after-free flaw because the Web browser needed to be in a specific memory state called “memory-pressure” in order to reach the vulnerable code branch.
The exploit relies on a bug related to Pressure(), a function that’s called when a page is loaded. The Presure() function also calls a function named spray(), which sprays memory. Since Presure() is recursive, spray() is called numerous times, so after a few seconds the web browser runs out of memory and enters the “memory-pressure” state. This state is designed to protect the browser from intensive memory use.
When the “memory-pressure” state is activated, an object is created. While this object is later deleted, a reference to it still remains in the memory. The fact that the freed object is later used in various Firefox functions leads to a crash that can be exploited.
Vupen has managed to exploit this vulnerability on Windows 8.1 by bypassing Address Space Layout Randomization (ASLR), Data Execution Protection (DEP) and the Enhanced Mitigation Experience Toolkit (EMET). However, the methods used to bypass EMET have not been disclosed.
Vupen researchers were not the only ones to crack Firefox at Pwn2Own 2014. Mariusz Mlynski, Jüri Aedla and George Hotz have also reported critical vulnerabilities that were patched by Mozilla in Firefox 28.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
