CVE-2023-25735: Use-After-Free Vulnerability in Cross-Compartment Wrappers Wrapping a Scripted Proxy

A recently discovered vulnerability, CVE-2023-25735, has been found in Firefox, Thunderbird, and Firefox ESR's implementation of cross-compartment wrappers wrapping scripted proxies. When exploited, this vulnerability could lead to a use-after-free condition, potentially compromising the security and stability of the affected software.

Vulnerability Details

In the affected software versions, cross-compartment wrappers' implementation could enable objects from different compartments to be stored in the main compartment when wrapping a scripted proxy. This situation could result in a use-after-free vulnerability after unwrapping the proxy. A malicious actor could potentially exploit this vulnerability to execute arbitrary code and compromise the security of an affected system.

Code Snippet Example

Here's a simplified example showcasing the improper storage of objects from various compartments into the main compartment:

// Main compartment
var mainObject = {data: "Main data"};

// Other compartment
var otherCompartment = new Compartment();
var otherObject = otherCompartment.evaluate("({data: 'Other data'})");

// Cross-compartment wrapper wrapping a scripted proxy
var proxyHandler = {
  get: function (target, prop) {
    return target[prop];
  }
};
var proxy = new Proxy(otherObject, proxyHandler);
var wrappedProxy = otherCompartment.wrap(proxy);

// Storing otherObject in the main compartment (unsafe)
mainObject.otherData = wrappedProxy;

When the wrapped proxy is unwrapped, the otherObject could be freed from memory, causing a use-after-free vulnerability.

// Unwrapping proxy
var unwrappedProxy = otherCompartment.unwrap(mainObject.otherData);

// Accessing freed otherObject (use-after-free)
console.log(unwrappedProxy.data);

References to Original Sources

1. Mozilla Foundation Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2022-##
2. CVE-2023-25735 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25735

Exploit Details

An attacker could create a webpage containing malicious JavaScript code to exploit the vulnerability, causing the browser to store objects from different compartments in the main compartment. When the affected software tries to access these objects after unwrapping the proxy, a use-after-free condition would occur.

To mitigate this vulnerability, users of the affected software versions should update to the latest version:

Firefox ESR: Update to version 102.8 or above

If you are unable to update immediately, it is recommended to disable JavaScript in your browser or email client to reduce the possibility of being exploited. However, the best course of action is to update the software to a secure version as soon as possible.

Conclusion

The CVE-2023-25735 vulnerability presents a significant risk for users of Firefox, Thunderbird, and Firefox ESR. It is essential to understand its potential impact and take the necessary steps to mitigate the risk. To stay secure, update your software to the latest version and remain vigilant about the websites you visit and the emails you open.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 16:05:00 UTC