Waiting for disclosing details
https://bugs.chromium.org/p/chromium/issues/detail?id=1385502
https://github.com/mozilla-mobile/focus-android/issues/8056
Related vuln :
http://lostmon.blogspot.com/2022/10/mozilla-firefox-focus-and-nightly.html
Security Research & Analisys:
Personal Blog where I expose my investigations,
advisores and some outstanding news on security.
Waiting for disclosing details
https://bugs.chromium.org/p/chromium/issues/detail?id=1385502
https://github.com/mozilla-mobile/focus-android/issues/8056
Related vuln :
http://lostmon.blogspot.com/2022/10/mozilla-firefox-focus-and-nightly.html
########################
Mozilla Firefox, Focus and Nightly
For Android Remote Crash Dos
Vulnerability.
Last update: 25/11/2022
########################
################
Description
################
A vulnerability is present in the way that Mozilla for Android mobile products manage the clipboard and handle excepcions.
A evil site can take profit from software excepcions to do a crash in the app or to deny access to clipboard and cause a crash resulting in lost of available information that not save.
If we close the app and clear cache etc, we have the same situation a crash or a Dos that Tdo a crash. :)
The vulnerability interact with parts of Android system like open links in app, and sharing functions.
It's a of different error messages that the app can't handle or programmer store remote data in parcels, or how store data in clipboard and how process it.
Multiple app are vulnerable to this style attack resulting in a lost of data, DoS to application, crash aplicattion or DoS to functions or application or dead browser treat activity and force user to close App.
We can abuse parcels errors in
TransactionTooLargeException
DeadSystemException
Wen can abuse open in app or sharing functions or clipboard functions in
TransactionTooLargeException
DeadSystemException
ClipboardManager
content.ClipboardManager.getPrimaryClip
################
Versions afected:
################
Mozilla firefox
107.1.0 Build #2015915067
106.1.0 built 2015907747
105.2.0 built 2015907747
Mozilla Nightly
107.0a1
built 2015909163
built 2015909131
built 2015915115
108.0a1
built 2015912339
built 2015913675
109.0a1
Build 2015916075
Build 2015917035
Build 2015917803
Mozilla Focus
105.0.2
built 362762015
107.1.0
Built 363142253
#########################
Related bugs in other apps
https://bugs.chromium.org/p/chromium/issues/detail?id=1385502
Mozilla issue tracker
https://github.com/mozilla-mobile/focus-android/issues/8056
Posible related bug
https://github.com/mozilla-mobile/android-components/issues/12804
Tested on
Android 9, 10, 11, 12 and continue testing
################
Timelime
################
Discovered 28-08-2022
Vendor notify NO
Released 12-10-2022
Last update 25-11-2022
###############
No more details at this time.
Exploit available in private.
I update this advisore in few days with more information.
################ €nd ####################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
(1240.1334): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=77d25085 edx=00000000 esi=1d7c0000 edi=7ff90240 eip=61b39357 esp=0023f01c ebp=00000001 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\JavaScriptCore.dll - JavaScriptCore!WTF::fastMalloc+0x157: 61b39357 c705efbeadbb00000000 mov dword ptr ds:[0BBADBEEFh],0 ds:0023:bbadbeef=???????? 0:000> !load msec.dll 0:000> !exploitable -m VERSION:1.6.0.0 IDENTITY:HostMachine\HostUser PROCESSOR:X86 CLASS:USER QUALIFIER:USER_PROCESS EVENT:DEBUG_EVENT_EXCEPTION EXCEPTION_FAULTING_ADDRESS:0xffffffffbbadbeef EXCEPTION_CODE:0xC0000005 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION EXCEPTION_SUBTYPE:WRITE FAULTING_INSTRUCTION:61b39357 mov dword ptr ds:[0bbadbeefh],0 MAJOR_HASH:0x7fdedd27 MINOR_HASH:0x39b7b969 STACK_DEPTH:6 STACK_FRAME:JavaScriptCore!WTF::fastMalloc+0x157 STACK_FRAME:WebKit!WKDictionaryGetTypeID+0xb112 STACK_FRAME:WebKit!WKCredentialGetTypeID+0x1f776 STACK_FRAME:WebKit!WKCredentialGetTypeID+0x489f2 STACK_FRAME:WebKit!WKCredentialGetTypeID+0x4337e STACK_FRAME:JavaScriptCore!JSC::JSArray::getOwnPropertySlotByIndex+0x2a44 INSTRUCTION_ADDRESS:0x0000000061b39357 INVOKING_STACK_FRAME:0 DESCRIPTION:User Mode Write AV SHORT_DESCRIPTION:WriteAV CLASSIFICATION:EXPLOITABLE BUG_TITLE:Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969) EXPLANATION:User mode write access violations that are not near NULL are exploitable.0:000> !exploitable !exploitable 1.6.0.0 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969) User mode write access violations that are not near NULL are exploitable.####################### €nd ##########################


La curiosidad es lo que hace
mover la mente...
Lostmon Blogger © All Rights Reserved