CVE-2023-5173 - How a Firefox Non-Default Setting Opened the Door to Privileged Memory Corruption

In September 2023, Mozilla patched a critical vulnerability in Firefox—CVE-2023-5173—that could allow attackers to corrupt memory in privileged processes. This security bug wasn’t in the default setup, but it could affect those who changed a particular network setting: network.http.altsvc.oe. In this article, we’ll break down this CVE in plain language, show you what went wrong, and explain how an attacker might have exploited it.

What’s CVE-2023-5173?

This vulnerability is an integer overflow leading to a potential out-of-bounds write in Firefox. In simple terms, due to incorrect handling of certain network traffic, it was possible (with the right configuration) for less-privileged code—like a script on a random webpage—to write arbitrary data somewhere it really shouldn’t be allowed: directly into the memory of a highly-privileged Firefox process.

> Important: This bug only exists if you (or an app or administrator) manually turned on the advanced network.http.altsvc.oe setting.

Affected versions:
* Firefox versions older than 118 (before September 2023).

References

- Mozilla Security Advisory 2023-35
- Mozilla Bug Report #1840812
- NIST NVD Entry

What is network.http.altsvc.oe?

This is a hidden (“about:config”) preference for Firefox’s HTTP protocol stack. It lets Firefox connect to web servers using “Alternate Services” over plain HTTP, not just HTTPS. By default, this is off for security, as plain HTTP is vulnerable to many attacks. Some advanced users or organizations, however, might enable it for testing or legacy reasons.

Integer Overflow

Firefox is tricked into calculating the wrong array or buffer size (usually too small or negative, but treated as a very large positive number when stored in memory).

Out-of-Bounds Write

Using the incorrect size, Firefox writes incoming data past the end of a buffer in a privileged process. This is severe: it could overwrite sensitive data or execute malicious code at a higher privilege level than normal webpage code.

Attack Vector

Attackers could craft network traffic (or just use a normal websocket from JavaScript!) to send maliciously formatted Alternate Service frames when the network.http.altsvc.oe is enabled—even from a sandboxed webpage.

Example Code Walkthrough

Here’s a simplified version of what goes wrong (note: this is an *illustrative* code snippet, not the actual Firefox source):

// Pseudocode for affected logic:
int frameLen = ReadFrameLengthFromNetwork(); // controlled by attacker

// Integer overflow if frameLen is too large/small:
char* buffer = new char[frameLen];

ReadDataIntoBuffer(buffer, frameLen); // Overwrites priv. memory if frameLen is wrong

If frameLen is a negative number (from the network), creating the buffer might wrap around and allocate very little memory (or even fail to allocate). But the next read operation will write as many bytes as the attacker claimed—right over the boundary of the real buffer!

What should have happened:

if (frameLen <  || frameLen > MAX_REASONABLE_SIZE) {
    // Reject & close connection
    return;
}
char* buffer = new char[frameLen];
...

Memory corruption!

This could crash the browser or, in a worst-case scenario, allow code execution with escalated privileges.

PoC Sketch (Proof-of-Concept, Not Real Attack Code)

Suppose the user runs Firefox with the dangerous toggle on. The attacker crafts a webserver that serves HTTP/1.1 responses with evil alternate service headers:

HTTP/1.1 200 OK
Alt-Svc: h2="malicious.com:443"; ma=99999999; (oversized or negative length)
...

JavaScript on the attacker’s page initiates a fetch or websocket connection—meanwhile, the server provides these oversized headers, triggering the vulnerable code.

Why care if it’s not on by default?

- It’s common for advanced users, enterprise setups, or even accidental config changes to enable odd settings.

How Was It Fixed?

Mozilla quickly patched the bug by validating the size of incoming frames and rejecting anything suspicious before touching memory.

- Firefox security fix in version 118

Recommendations

- Upgrade Firefox: If you ever enabled network.http.altsvc.oe, update to Firefox 118 or above *right now*.
- Check Configuration: Visit about:config and make sure network.http.altsvc.oe is set to false.
- Do Not Enable Non-Default Settings unless you understand the risks—especially around network protocols and encryption.

References

- Mozilla Security Advisory 2023-35
- NVD Description
- Mozilla Bug #1840812
- Firefox Release Notes 118

Conclusion

CVE-2023-5173 is an excellent reminder: power-user settings in browsers come with real risks. With the right network traffic and a simple config toggle, attackers could jump outside their web sandbox and threaten your browser's integrity. Always keep your browser updated, and think twice before fiddling with hidden settings—security is in the defaults!

Timeline

Published on: 09/27/2023 15:19:42 UTC
Last modified on: 09/29/2023 13:34:59 UTC