Full Report
Browser exploitation is extremely complicated and difficult. Most of the bugs are memory corruption issues. Hence, there are multiple layers of exploitation required because of a large amount of sandboxing. In this two part series, ZDI goes through a Firefox browser compromise that uses prototype pollution instead of memory corruption through and through. In the Firefox JavaScript engine SpiderMonkey, large parts are implemented using built-in JavaScript. The code runs in the same context as the users code, which is interesting. Prototype pollution is a vulnerability class that changes the prototype object of JavaScript to perform unintended operations. When handling the top level await feature, the function GatherAsyncParentCompletions is called. Within this, there is a call to array.push, which uses the prototype hierarchy. By setting the getter/setter for the prototype, we can trigger an external call to me made. Why does this matter? We can get access to the module type in JavaScript! The SpiderMonkey code has some privileged function calls. By getting a reference to the module object via the pollution on the prototype, we trivially get memory corruption with out of bounds array writes. Aptly, there is no bounds check with the function named UnsafeSetReservedSlot() To exploit this, the author goes through a few steps: Create a new array object. Set some of the properties of the object to force the allocation of a slot_ array. Use our out of bounds write bug from above to corrupt the capacity of the array. Use the array to read and write into the heap to corruption all the things. To get code execution, they wrote their shellcode as floating point numbers in Web Assembly that were JITed. Now, they can jump to this location to start a chain. There are some funny restrictions like the same series of 8 bytes can't be used in a row. So, they call VirtualProtect from their shellcode in order to circumvent the JIT W^X protection. This compromises the renderer but there is still much more to hack! The next post goes into the sandbox escape.
Analysis Summary
# Vulnerability: Firefox Prototype Pollution Leading to Renderer Memory Corruption
## CVE Details
- **CVE ID:** CVE-2022-1802
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-1327 (Binding to Untrusted Methods) / Prototype Pollution
## Affected Systems
- **Products:** Mozilla Firefox, Firefox ESR, and Thunderbird.
- **Versions:** Affected versions prior to Firefox 100.0.2, Firefox ESR 91.9.1, and Thunderbird 91.9.1.
- **Configurations:** Systems processing JavaScript modules utilizing "Top Level Await" features.
## Vulnerability Description
The flaw exists within the SpiderMonkey JavaScript engine's implementation of asynchronous modules. Specifically, the function `GatherAsyncParentCompletions` (implemented in JavaScript) uses a default empty array `execList = []` and populates it via `std_Array_push`.
Because this built-in code shares the same global context as user-supplied code, an attacker can pollute `Array.prototype` by defining a getter/setter for numerical properties (e.g., `0`). When the privileged built-in code attempts to push a module object into the array, the attacker’s setter is triggered, leaking an internal `Module` object to the untrusted script. This internal object exposes privileged methods—specifically `UnsafeSetReservedSlot`—which lacks bounds checking and allows for direct out-of-bounds (OOB) memory writes.
## Exploitation
- **Status:** PoC available; demonstrated at Pwn2Own Vancouver 2022.
- **Complexity:** High (Requires bypassing JIT W^X protections and chaining multiple logical steps).
- **Attack Vector:** Network (Remote via malicious website).
## Impact
- **Confidentiality:** High (Full access to renderer process memory).
- **Integrity:** High (Arbitrary code execution within the sandboxed renderer).
- **Availability:** High (Can lead to application crashes or persistent control).
## Remediation
### Patches
- **Firefox:** Update to version 100.0.2 or later.
- **Firefox ESR:** Update to version 91.9.1 or later.
- **Thunderbird:** Update to version 91.9.1 or later.
### Workarounds
- No official functional workarounds; users should prioritize browser updates to mitigate the risk of remote execution.
## Detection
- **Indicators of Compromise:** Unusual manipulation of `Array.prototype` in web traffic; shellcode-like floating-point arrays in WebAssembly modules.
- **Detection methods:** Web Application Firewalls (WAF) can be configured to inspect for common prototype pollution patterns, though obfuscated JavaScript makes this difficult at the network level.
## References
- **Vendor Advisory:** [https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/](https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/)
- **ZDI Advisory:** [https://www.zerodayinitiative.com/advisories/ZDI-22-799/](https://www.zerodayinitiative.com/advisories/ZDI-22-799/)
- **Technical Analysis:** [https://www.zerodayinitiative.com/blog/2022/8/18/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-1](https://www.zerodayinitiative.com/blog/2022/8/18/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-renderer-part-1)