Profile picture
, 7 tweets, 4 min read Read on Twitter
Thanks to @coinbase I've had a chance to look at the in-the-wild exploit for the recent Firefox 0day (the RCE) that they caught. Tl;dr: it looks a lot like a bug collision between Fuzzilli and someone manually auditing for bugs. My notes:
My report for the bug is now public: bugs.chromium.org/p/project-zero…. This PoC directly turns the bug into type confusions, the exploit technique is then basically phrack.org/papers/jit_exp…
The itw exploit however abuses the bug as a side-effect issue (a popular JIT bug: saelo.github.io/presentations/…), turns that into an OOB read, then a type confusion. With that the bug is basically a variant of CVE-2019-9810 ( github.com/xuechiyaobai/C…). Thanks @_niklasb for the reference
A fuzzer would likely have a hard time triggering the bug that way. Fuzzilli found a simpler case that triggered another aspect of the issue, not involving side effects, which is also easier and a bit more reliable to exploit (doesn't involve heap manipulation)
According to objective-see.com/blog/blog_0x43… it seems the bug was already exploited before the fix became public on Jun 6th (hg.mozilla.org/integration/au…). Also, imo it would be quite difficult to construct a PoC from the bugfix alone
So all in all this looks like a bug collision (not a 1day constructed from the bugfix, not a leak from any of the bug trackers). My guess is that someone was looking for that bug pattern or even specifically for a variant of CVE-2019-8910 and found the bug that way
@_niklasb Just to clarify (hope that's not necessary though...): github.com/xuechiyaobai/C… doesn't have anything to do with this exploit, it's just one of multiple public PoCs for a similar bug in Firefox. Other PoC e.g. github.com/0vercl0k/CVE-2… (same goes for it of course)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Samuel Groß
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!