Firefox XUL Frame Tree Vulnerability

November 26, 2008

The multi-platform Mozilla Firefox browser is capable of interpreting and rendering many types of content published on the Internet. Some of the widely used formats are HTML, XML,and XUL.

XUL (XML User Interface Language) is an XML (Extensible Markup Language) user interface markup language. The XUL standard draws on other existing standards like DOM, XML, and CSS, and is similar in structure to HTML.

XUL has many predefined element types such as label, command, tree, etc. The tree element holds a set of rows of elements. An example of the use of the tree element follows:


Most XUL elements are at least partially implemented using XBL (XML Binding Language). XBL is a language used to describe bindings that can be attached to elements in other documents.

A vulnerability exists in Mozilla Firefox in the way the XBL Event Handler handles XUL documents with a series of specially crafted tree children. The flaw exists in constructing a tree frame. If the value of the rows attribute of a tree element is negative, it will mistakenly trigger an unrelated event which will remove the treechildren frame node from the DOM tree. Subsequently, the deleted frame is referenced again by the calling function which results in a NULL pointer reference. Consequently, the browser process will be terminated.
It is reported that memory corruption may occur as a result of exploitation which may lead to process flow diversion.

SonicWALL has released an IPS signature that will detect and block a specific exploit known to have been circulated in the wild. The following signature addresses this issue:

  • 5321 - Mozilla Firefox XUL Frame Tree Memory Corruption PoC