Full Report
In part one, the author used a prototype pollution vulnerability to compromise the Renderer process. In part two, they uses another prototype pollution vulnerability from their privileged position. The sandboxed renderer process has various interfaces for communicating with the privileged Chrome process. Some are even directly reachable through JavaScript. One of these inferfaces is NotificationDB, which is almost only JavaScript by itself. The Notification:Save() function calls into taskSave(). When saving, it checks the objects origin and notification. It performs a write like this - this.notifications[origin][notification.id] = notification; If the value of origin is set to __proto__ then notification.id will also be part of the write, with the rest of the notification being the value written. Using this, any global JavaScript can be overwritten! Since is not just limited to the NotificationDB.jsm either; it affects all JavaScript modules for any Chrome-level things. In the TabAttributes.jsm module, there is some code that iterates through the element of a list called data using a for. Luckily for us, this will only iterate over prototypes! Using this code, it's possible to set arbitrary HTML (typically XUL) attribute of a tab. To trigger this, there are a few ways but one of them is the most convenient - crash the tab and on automatic reinitialization the pollution happens. The XUL event handlers can be used within the attributes. So, on page load when the pollution happens, we can add a JavaScript to onunderflow attributes to execute arbitrary JavaScript within the Chrome process. Since this is highly privileged process, compromise is fairly trivial. To start with, they set the preference security.sandbox.content.level to 0 in order to prevent sandboxing in new tabs for the future. From there, we open a new tab and call C:\\Windows\\System32\\cmd.exe to execute arbitrary commands. Game over at this point. Every language seems to have its drawbacks in terms of security. C has memory corruption issues, JavaScript has prototype pollution... Overall, a fascinating series on using a memory safe language to still compromise the browser via a logic bug.
Analysis Summary
# Vulnerability: Firefox Sandbox Escape via NotificationDB Prototype Pollution
## CVE Details
- **CVE ID:** CVE-2022-1529
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes - 'Prototype Pollution')
## Affected Systems
- **Products:** Mozilla Firefox, Firefox ESR, and Thunderbird.
- **Versions:** Affected versions prior to Firefox 100.0.2, Firefox ESR 91.9.1, and Thunderbird 91.9.1.
- **Configurations:** Systems where an attacker has already compromised the sandboxed Renderer process (e.g., via a separate vulnerability like CVE-2022-1802).
## Vulnerability Description
The flaw resides in the `NotificationDB.jsm` JavaScript module, which runs in the privileged "chrome" (parent) process. The `Notification:Save()` function calls `taskSave()`, which processes messages from the renderer.
The code performs a property assignment: `this.notifications[origin][notification.id] = notification;`. Because the `origin` and `notification.id` values are taken directly from the renderer message without validation, an attacker can set `origin` to `__proto__`. This causes the assignment to write to the global `Object.prototype`. This pollution affects all JavaScript modules in the privileged process, allowing the attacker to inject properties that alter the logic of other system components.
## Exploitation
- **Status:** PoC available; demonstrated at Pwn2Own Vancouver 2022.
- **Complexity:** High (Requires a prior renderer compromise to send IPC messages).
- **Attack Vector:** Network (Remote exploit chain).
## Impact
- **Confidentiality:** High (Full access to browser data and system files).
- **Integrity:** High (Ability to execute arbitrary commands).
- **Availability:** High (Ability to crash the process or alter system state).
## Remediation
### Patches
- **Firefox 100.0.2 / 101:** Resolves the logic flaw in `NotificationDB`.
- **Firefox ESR 91.9.1:** Security update for extended support releases.
- **Thunderbird 91.9.1:** Security update for the email client.
### Workarounds
- No specific software workarounds are provided; users are urged to update to the latest patched version of Firefox to break the exploit chain.
## Detection
- **Indicators of Compromise:**
- Sudden changes in Firefox security preferences (e.g., `security.sandbox.content.level` being set to `0`).
- Unusual child processes spawned by the Firefox parent process (e.g., `cmd.exe` or `/bin/sh`).
- **Detection Methods:** Monitor for cross-process communication anomalies or unexpected attribute changes in XUL/HTML elements within the browser UI (chrome layer).
## References
- **Vendor Advisory:** [MFSA 2022-19](https://www.mozilla[.]org/en-US/security/advisories/mfsa2022-19/)
- **ZDI Advisory:** [ZDI-22-798](https://www.zerodayinitiative[.]com/advisories/ZDI-22-798/)
- **Technical Analysis:** [ZDI Blog - Attacking the Mozilla Firefox Sandbox](https://www.zerodayinitiative[.]com/blog/2022/8/23/but-you-told-me-you-were-safe-attacking-the-mozilla-firefox-sandbox-part-2)