CVE-2020-26950
published 2020-12-09CVE-2020-26950: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This…
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
42.60%
98.5th percentile
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 82.0.3-1 (sid) | firefox 82.0.3-1 (sid) |
| debian | firefox-esr | < firefox 82.0.3-1 (sid) | firefox 82.0.3-1 (sid) |
| debian | thunderbird | < firefox 82.0.3-1 (sid) | firefox 82.0.3-1 (sid) |
| mozilla | firefox | < 82.0.3 | 82.0.3 |
| mozilla | firefox | — | — |
| mozilla | firefox_esr | < 78.4.1 | 78.4.1 |
| mozilla | thunderbird | < 78.4.2 | 78.4.2 |
| mozilla | thunderbird | >= 0 < 1:78.4.2-1 | 1:78.4.2-1 |
| mozilla | thunderbird | >= 0 < 1:78.4.2-1 | 1:78.4.2-1 |
| mozilla | thunderbird | >= 0 < 1:78.4.2-1 | 1:78.4.2-1 |
| mozilla | thunderbird | >= 0 < 1:78.4.2-1 | 1:78.4.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit technique involves spraying ArgumentsData structures to construct read/write/addrof primitives — unusual high-volume allocation of arguments objects in JIT-compiled functions may indicate exploitation. ↗
- →Shellcode is embedded as floating-point constants in a JIT-sprayed function; the marker constant 0x41414141 (5.40900888e-315) is used to locate the shellcode start in the RX region — scan JIT memory regions for this byte pattern. ↗
- →Code execution is achieved by overwriting the JSFunction.u.native.extra.jitInfo_ pointer (at offset +0x30 from the function object) to redirect execution to attacker-controlled JIT-sprayed shellcode constants. ↗
- →Exploit requires Firefox to be launched with MOZ_DISABLE_CONTENT_SANDBOX set; detection of this environment variable in Firefox process launch arguments is a strong indicator of sandbox-disabled exploitation. ↗
- →Metasploit module 'exploits/multi/browser/firefox_jit_use_after_free' targets Firefox <= 79; detection of this module's network traffic or process behavior can identify active exploitation attempts. ↗
- ·The exploit does NOT include a sandbox escape; it only works when the Firefox content sandbox is disabled via MOZ_DISABLE_CONTENT_SANDBOX. Sandboxed Firefox instances are not directly exploitable by this PoC. ↗
- ·The vulnerable IonMonkey JIT engine was deprecated within a month of the vulnerability's discovery in favour of WarpMonkey, limiting the affected version window to Firefox <= 82.0.2 / ESR <= 78.4.0 / Thunderbird <= 78.4.1. ↗
- ·The Metasploit module only supports Firefox <= 79 as a tested target; additional engineering effort is required to reliably exploit Firefox 82.0.x builds. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cp22-2989-32j9: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition
ghsa_unreviewed·2022-05-24
CVE-2020-26950 [HIGH] CWE-416 GHSA-cp22-2989-32j9: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.
OSV
CVE-2020-26950: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition
osv·2020-12-09·CVSS 8.8
CVE-2020-26950 [HIGH] CVE-2020-26950: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2020-11-25
CVE-2020-16012 Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information across origins, bypass security restrictions,
conduct phishing attacks, conduct cross-site scripting (XSS) attacks,
bypass Content Security Policy (CSP) restrictions, conduct DNS rebinding
attacks, or execute arbitrary code.
Instructions: After a standard system update you need to restart Thunderbird to make
all the necessary changes.
Ubuntu
Firefox vulnerability
vendor_ubuntu·2020-11-10
CVE-2020-26950 Firefox vulnerability
Title: Firefox vulnerability
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
A use-after-free was discovered in Firefox. If a user were tricked in
to opening a specially crafted website, an attacker could exploit this
to execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Mozilla: Write side effects in MCallGetProperty opcode not accounted for
vendor_redhat·2020-11-09·CVSS 8.8
CVE-2020-26950 [HIGH] CWE-416 Mozilla: Write side effects in MCallGetProperty opcode not accounted for
Mozilla: Write side effects in MCallGetProperty opcode not accounted for
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.
Package: firefox (Red Hat Enterprise Linux 5) - Out of support scope
Package: thunderbird (Red Hat Enterprise Linux 5) - Out of support scope
Debian
CVE-2020-26950: firefox - In certain circumstances, the MCallGetProperty opcode can be emitted with unmet ...
vendor_debian·2020·CVSS 8.8
CVE-2020-26950 [HIGH] CVE-2020-26950: firefox - In certain circumstances, the MCallGetProperty opcode can be emitted with unmet ...
In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.
Scope: local
sid: resolved (fixed in 82.0.3-1)
Mozilla
Mozilla Foundation Security Advisory 2020-49: CVE-2020-26950
vendor_mozilla·CVSS 8.8
CVE-2020-26950 [HIGH] Mozilla Foundation Security Advisory 2020-49: CVE-2020-26950
Mozilla Foundation Security Advisory 2020-49
CVE: CVE-2020-26950
Product: Firefox, Firefox ESR, Thunderbird
Impact: critical
Fixed in: Firefox 82.0.3
Firefox ESR 78.4.1
Thunderbird 78.4.2
No detection rules found.
Sentinelone
Firefox JIT Use-After-Frees | Exploiting CVE-2020-26950
blogs_sentinelone·2022-02-03·CVSS 8.8
CVE-2020-26950 [HIGH] Firefox JIT Use-After-Frees | Exploiting CVE-2020-26950
## Firefox JIT Use-After-Frees | Exploiting CVE-2020-26950
## Executive Summary
SentinelLabs worked on examining and exploiting a previously patched vulnerability in the Firefox just-in-time (JIT) engine, enabling a greater understanding of the ways in which this class of vulnerability can be used by an attacker.
In the process, we identified unique ways of constructing exploit primitives by using function arguments to show how a creative attacker can utilize parts of their target not seen in previous exploits to obtain code execution.
Additionally, we worked on developing a CodeQL query to identify whether there were any similar vulnerabilities that shared this pattern.
## Contents
Introduction
Just-in-Time (JIT) Engines
Redundancy Elimination
IonMonkey 101
The Vulnerability
La
Sentinelone
Firefox JIT Use-After-Frees | Exploiting CVE-2020-26950
blogs_sentinelone·2022-02-03·CVSS 8.8
CVE-2020-26950 [HIGH] Firefox JIT Use-After-Frees | Exploiting CVE-2020-26950
## Executive Summary
- SentinelLabs worked on examining and exploiting a previously patched vulnerability in the Firefox just-in-time (JIT) engine, enabling a greater understanding of the ways in which this class of vulnerability can be used by an attacker.
- In the process, we identified unique ways of constructing exploit primitives by using function arguments to show how a creative attacker can utilize parts of their target not seen in previous exploits to obtain code execution.
- Additionally, we worked on developing a CodeQL query to identify whether there were any similar vulnerabilities that shared this pattern.
## Contents
- Introduction
- Just-in-Time (JIT) Engines
- Redundancy Elimination
- IonMonkey 101
- The Vulnerability
- Lazy Properties
- Variant Analysis
- Triggering the
http://packetstormsecurity.com/files/166175/Firefox-MCallGetProperty-Write-Side-Effects-Use-After-Free.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1675905https://www.mozilla.org/security/advisories/mfsa2020-49/http://packetstormsecurity.com/files/166175/Firefox-MCallGetProperty-Write-Side-Effects-Use-After-Free.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1675905https://www.mozilla.org/security/advisories/mfsa2020-49/
2020-12-09
Published