Mozilla Firefox mChannel Use After Free
nsrefcnt AddRef(); void QueryInterface( in nsIIDRef uuid, [iid_is(uuid),retval] out nsQIResult result); nsrefcnt Release();
The nsIChannelEventSink interface is shown to provide the following methods:
void asyncOnChannelRedirect(in nsIChannel oldChannel, in nsIChannel newChannel, (Firefox 4+) in unsigned long flags, in nsIAsyncVerifyRedirectCallback callback); void onChannelRedirect( in nsIChannel oldChannel, in nsIChannel newChannel, in unsigned long flags);
The function asyncOnChannelRedirect is an asynchronous replacement for onChannelRedirect. These methods are called when a redirect occurs, such as when triggered by a 3xx HTTP status code. The onChannelRedirect method implementation for HTML objects contains a use after free flaw.
In order to exploit this vulnerability, a remote attacker would have to entice the target user to open a crafted web page. Successful exploitation could allow the attacker to execute arbitrary code on the vulnerable system in the security context of the browser. An unsuccessful exploitation attempt could result in the abnormal termination of the browser. Use after free vulnerabilities are generally difficult to exploit successfully for code execution, hence the most likely outcome of an attack attempt would result in a browser crash.
SonicWALL has released the following IPS signature to address this threat:
- 1497 - Mozilla Firefox onChannelRedirect Method Invocation
Additionally, SonicWALL has multiple existing IPS signatures that detect and block suspected heap spray methods which would most likely be used in attacks targeting this type of vulnerability. These signatures serve as a pro active defense against the most popular HTML based attacks.