CVE-2023-4575 - Use-After-Free Vulnerability in Firefox & Thunderbird due to Multiple Callbacks Created Over IPC for File Picker Window

A newly discovered vulnerability (CVE-2023-4575) affects multiple versions of Firefox and Thunderbird, which may lead to potential exploitable crashes due to a use-after-free issue. This vulnerability is present in the process of creating callbacks over IPC (Inter-process Communication) when showing the File Picker window. Under certain circumstances, multiple instances of the same callbacks could be created simultaneously and subsequently destroyed, causing a memory corruption issue.

Exploit Details

The vulnerability could be exploited if an attacker manages to craft a malicious website or email that triggers the affected code while the user interacts with the File Picker window. The use-after-free issue occurs when multiple callbacks are created for the same action and are destroyed simultaneously upon completion by the user.

Here is a code snippet illustrating the process of creating a callback in the vulnerable code

void FilePickerParent::OnFilePickerWindowDeactivated() {
    if (mCallback) {
        mCallback->FilePickerParentDestroyed();
        mCallback = nullptr;
    }
}

In the snippet above, the OnFilePickerWindowDeactivated() function is responsible for deactivating the File Picker window and calling the destruction of the callback object. The issue is that the same callback object can be assigned multiple times, which leads to multiple instances of the same object being destroyed when the File Picker window is closed.

To exploit the vulnerability, an attacker would need to craft an attack that triggers the creation of multiple identical callback objects under specific conditions. Once the bug is triggered, it can cause the application to crash or, in the worst case, allow the execution of arbitrary code.

Original References

- Mozilla Advisory
- Firefox ESR Advisory
- Thunderbird Advisory

Recommendations

Users are advised to update their Firefox and Thunderbird installations to the latest version as soon as possible. The latest patch includes fixes to address this vulnerability and protects against potential exploitations.

Conclusion

The CVE-2023-4575 vulnerability exposes users to potential memory corruption and exploitable crashes when using the File Picker window in affected Firefox and Thunderbird versions. Users should update their software as soon as possible to protect against this threat. By staying updated on security advisories and applying necessary patches, users can ensure the safety and integrity of their online experience.

Timeline

Published on: 09/11/2023 09:15:00 UTC
Last modified on: 09/13/2023 11:15:00 UTC