French security research company Vupen has published the details of the use-after-free vulnerability its team exploited at Pwn2Own 2014 to hack Mozilla Firefox.
At Pwn2Own 2014, the hacking contest that takes place alongside the CanSecWest security conference, Vupen earned a total of $400,000 for demonstrating their exploits against Firefox, Internet Explorer, Google Chrome, Adobe Reader and Adobe Flash. A total of 11 zero-day exploits were used.
On Tuesday, Vupen researchers made available the details of CVE-2014-1512 (MFSA2014-30), the use-after-free vulnerability they leveraged to crack Firefox. It’s worth noting that Mozilla addressed the issue on March 18, shortly after Pwn2Own ended, with the release of Firefox 28.
Vupen highlighted the fact that it wasn’t easy to exploit this use-after-free flaw because the Web browser needed to be in a specific memory state called “memory-pressure” in order to reach the vulnerable code branch.
The exploit relies on a bug related to Pressure(), a function that’s called when a page is loaded. The Presure() function also calls a function named spray(), which sprays memory. Since Presure() is recursive, spray() is called numerous times, so after a few seconds the web browser runs out of memory and enters the “memory-pressure” state. This state is designed to protect the browser from intensive memory use.
When the “memory-pressure” state is activated, an object is created. While this object is later deleted, a reference to it still remains in the memory. The fact that the freed object is later used in various Firefox functions leads to a crash that can be exploited.
Vupen has managed to exploit this vulnerability on Windows 8.1 by bypassing Address Space Layout Randomization (ASLR), Data Execution Protection (DEP) and the Enhanced Mitigation Experience Toolkit (EMET). However, the methods used to bypass EMET have not been disclosed.
Vupen researchers were not the only ones to crack Firefox at Pwn2Own 2014. Mariusz Mlynski, Jüri Aedla and George Hotz have also reported critical vulnerabilities that were patched by Mozilla in Firefox 28.
