cbcvebase.
CVE-2019-11708
published 2019-07-23

CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process…

PriorityP191critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
55.87%
98.9th percentile
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 67.0.4-1 (sid)firefox 67.0.4-1 (sid)
debianfirefox-esr< firefox 67.0.4-1 (sid)firefox 67.0.4-1 (sid)
debianthunderbird< firefox 67.0.4-1 (sid)firefox 67.0.4-1 (sid)
mozillafirefox< 60.7.260.7.2
mozillafirefox< 67.0.467.0.4
mozillafirefox>= unspecified < 67.0.467.0.4
mozillafirefox_esr>= unspecified < 60.7.260.7.2
mozillathunderbird< 60.7.260.7.2
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2-11:60.7.2-1
mozillathunderbird>= 0 < 1:60.7.2+build2-0ubuntu0.16.04.11:60.7.2+build2-0ubuntu0.16.04.1
mozillathunderbird>= 0 < 1:60.7.2+build2-0ubuntu0.18.04.11:60.7.2+build2-0ubuntu0.18.04.1
mozillathunderbird>= unspecified < 60.7.260.7.2

Detection & IOCsextracted from sources · hover to see the quote

commandFrameMM.sendSyncMessage('Prompt:Open', { uri: Uri })
otherxul!sAutomationPrefIsSet offset 0x051c0f13
otherxul!disabledForTest offset 0x05171cd8
versionFirefox < 67.0.4
bytes
0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88
  • Monitor for unsolicited or attacker-crafted 'Prompt:Open' IPC messages sent from a Firefox child/content process to the parent process, particularly those carrying unexpected or attacker-controlled URI values.
  • The exploit uses GetContentFrameMessageManager to obtain the frame messageManager and then calls sendSyncMessage with 'Prompt:Open'; JavaScript instrumentation or browser telemetry detecting sendSyncMessage calls with 'Prompt:Open' from content scripts is a strong indicator of exploitation.
  • The exploit uses Components.utils.import and Cu.evalInSandbox with a System Principal sandbox to escalate privileges within the browser; monitor for content-process use of Components.utils with system principal.
  • The exploit patches xul.dll in-memory at known offsets for sAutomationPrefIsSet (0x051c0f13) and disabledForTest (0x05171cd8) to achieve 'god mode'; memory integrity monitoring of xul.dll at these offsets can detect exploitation.
  • The egg-hunter shellcode in the exploit is prefixed with magic QWORD bytes 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88; scanning process memory or network traffic for this byte sequence can identify the exploit payload.
  • ·The exploit requires the Firefox content sandbox level to be lowered from 5 to at least 2 for the standalone CVE-2019-11707 payload to execute arbitrary shellcode; CVE-2019-11708 is required for full sandbox escape at default sandbox settings.
  • ·The xul.dll offsets used for 'god mode' patching (sAutomationPrefIsSet: 0x051c0f13, disabledForTest: 0x05171cd8) are version-specific and will differ across Firefox builds; these values apply to the specific version targeted by exploit EDB-47752.
  • ·CVE-2019-11708 is a sandbox escape that requires a separate initial compromise of the child/content process (e.g., via CVE-2019-11707); it cannot be exploited standalone without first achieving code execution in the sandboxed content process.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.