CVE-2023-4575 - Use-After-Free in Firefox and Thunderbird File Picker—What You Need to Know

In August 2023, Mozilla disclosed a significant vulnerability under CVE-2023-4575 affecting multiple versions of Firefox and Thunderbird. This flaw arises during the File Picker window operation and involves a use-after-free condition—opening an avenue for attackers to potentially crash the browser or even execute malicious code. In this long read, we’ll break down the vulnerability with simple, exclusive explanations, share code snippets illustrating the bug, look at possible avenues for exploitation, and point you to trusted references for further reading.

What is CVE-2023-4575?

CVE-2023-4575 targets a logic flaw in how Firefox and Thunderbird handle asynchronous inter-process communication (IPC) callbacks when popping up the File Picker window. In certain cases, multiple identical callbacks could be registered simultaneously. When one of these got handled, it would clean up resources for all of them. If another callback tried to access those now-freed resources, a use-after-free (UAF) bug could be triggered, crashing the application or enabling further, potentially harmful exploitation.

Let’s break down the bug in basic terms

1. Callbacks via IPC: When a web page requests the File Picker dialog (e.g., “choose file” upload), Firefox handles it over inter-process communication—registering callbacks to be triggered when the user picks a file.
2. Duplicate Callbacks: In certain race conditions, multiple identical callbacks could be registered for the same event.
3. Simultaneous Deletion: When *any* one callback finishes (user chooses a file or cancels), the cleanup process destroys all associated callbacks—even though others haven’t used their data yet.
4. Use-After-Free: A remaining callback runs, tries to use what should be valid memory, but the resources are already freed—resulting in a crash or, potentially, exploitable state for attack code.

Pseudocode: How the Flaw Might Arise

Here’s a simplified (exclusive) version of what the logic might look like in the browser’s codebase:

// Simplified callback registration (pseudo)
List<Callback*> filePickerCallbacks;

void RegisterFilePickerCallback(Callback* cb) {
    filePickerCallbacks.Add(cb);
}

// Later, when file picker completes
void OnFilePickerDone() {
    foreach (cb in filePickerCallbacks) {
        cb->Cleanup();  // Frees resources
    }
    filePickerCallbacks.Clear();
}

// But: multiple callbacks could use the same resources
void Callback::Run() {
    // The following pointer may now be dangling
    UseFilePickerResult(this->filePickerResultPtr);
}

If multiple callbacks used the same internal pointers, cleanup could delete memory before all had a chance to finish, triggering use-after-free when later callbacks tried to access freed memory.

Real-World Exploitation Potential

Use-after-free bugs are beloved by exploit writers because they can sometimes be turned into arbitrary code execution, especially in large, complex C++ codebases like Firefox.

Crash the browser: Easily achieved by simply accessing the free’d memory.

- Arbitrary code execution: By carefully controlling memory layout (heap spraying, etc.) an attacker might reclaim the freed space with their own data, eventually corrupting program pointers and hijacking execution.
- Drive-by attacks: A malicious website might trigger the file picker bug, especially if the IPC logic could be forced to register multiple callbacks—possibly with precise timing.

Proof-of-Concept (PoC) JavaScript

While the nature of the bug mostly affects deep browser internals, a PoC (for research) might try to activate the File Picker multiple times in rapid succession. Here’s a toy example that *might* have triggered the race, though reproducing a reliable exploit likely needs internal browser access:

// Rapidly open file dialogs in different iframes
for (let i = ; i < 10; i++) {
    let iframe = document.createElement('iframe');
    iframe.src = 'data:text/html,<input type="file">';
    document.body.appendChild(iframe);
    setTimeout(() => document.body.removeChild(iframe), 100);
}

Disclaimer: This code is for educational insight into timing bugs and does NOT constitute an actual exploit for modern, patched browsers!

How to Stay Safe

Patch Immediately!

Upgrade to Firefox 117 or newer

- Upgrade to Firefox ESR 102.15/115.2 or newer
- Upgrade to Thunderbird 102.15/115.2 or newer

Browser vendors patch these bugs regularly, and only older, unpatched systems remain vulnerable.

References and Further Reading

- Mozilla Security Advisory 2023-32
- Bugzilla entry for CVE-2023-4575 (may require permissions or waiting for public disclosure)
- NVD entry for CVE-2023-4575
- Mozilla Firefox Release Notes

TL;DR

CVE-2023-4575 is a classic use-after-free bug lurking in the Firefox/Thunderbird File Picker. If left unpatched, malicious actors could crash your browser or possibly take control. Update your software today and stay vigilant!


*Stay safe, and always keep your browsers up to date!*

Timeline

Published on: 09/11/2023 09:15:00 UTC
Last modified on: 09/13/2023 11:15:00 UTC