CVE-2023-4574 - A Deep Dive into the IPC Color Picker Callback Use-After-Free Vulnerability in Firefox and Thunderbird

We recently came across a critical vulnerability tagged as CVE-2023-4574, which affects major versions of the Firefox browser and Thunderbird email client. This vulnerability caught our attention due to its detrimental impact on the user experience. In this long-read post, we will thoroughly discuss the underpinnings of this vulnerability, its consequences, and remediation efforts. We will also provide original reference links and code snippets for a better understanding of the exploit details.

Vulnerability Description

CVE-2023-4574 revolves around a use-after-free issue that arises when creating a callback over Inter-Process Communication (IPC) for showing the Color Picker window. In certain cases, multiple identical callbacks can be created at once, leading to a simultaneous destruction of all callbacks as soon as one of them completes its operation. This results in a potentially exploitable crash.

Exploring the Vulnerability

To understand this vulnerability, let's dive into some code snippets. The issue can be visualized in the following sections of the code when creating a callback over IPC:

void Channel::CreateCallback(const nsString& aDialogTitle) {
  if (!mCallback) {
    mCallback = mBrowserParent.CreateColorPickerCallback(aDialogTitle);
    mCallback.SetListener(this);
  }
}

In the code above, the CreateCallback function checks if mCallback is not already set; if not, it creates a new Color Picker callback using the mBrowserParent.CreateColorPickerCallback() method. However, the check for !mCallback may not be sufficient to prevent multiple callbacks from being created at the same time.

The vulnerability is further manifested in the following code section when the callbacks are destroyed:

void Channel::OnResult(const uint32_t& aResult) {
  if (mCallback) {
    mCallback.SetListener(nullptr);
    mCallback = nullptr;
    mBrowserParent.DestroyColorPickerCallbacks();
  }
}

Here, the OnResult function first checks if mCallback is set. If it is, the function sets the callback listener to nullptr, effectively unassigning the listener. Then, it sets the mCallback variable to nullptr and proceeds to destroy all Color Picker callbacks using the mBrowserParent.DestroyColorPickerCallbacks() method.

Unfortunately, this can result in a scenario where multiple callbacks are initiated and destroyed all at once, leading to a use-after-free situation and, consequently, a potential crash in the application.

Original References

For a detailed understanding of the CVE-2023-4574 vulnerability, you can refer to the following links:

1. Mozilla Foundation Security Advisory 2023-05
2. Firefox 117 Release Notes
3. Thunderbird 102.15 Release Notes

Mitigation

To mitigate this vulnerability, users are strongly recommended to update their Firefox browser and Thunderbird email client to the latest available versions and apply all security patches provided by the software vendor.

Conclusion

CVE-2023-4574 - the IPC Color Picker callback use-after-free vulnerability - is a significant security concern for users of the Firefox browser and the Thunderbird email client. We hope that our discussion has shed light on its intricacies and the necessary countermeasures to protect your digital assets.

Timeline

Published on: 09/11/2023 09:15:00 UTC
Last modified on: 09/13/2023 11:15:00 UTC