Mozilla offers rewards for Bypassing Firefox Exploit Mitigations

Pierluigi Paganini August 21, 2020

Mozilla has expanded its bug bounty program including rewards for bypass methods for the exploit mitigations and security features in Firefox.

Mozilla announced this week that it has expanded its bug bounty program with a new category that focuses on bypass methods for the exploit mitigations, security features, and defense-in-depth measures implemented in the Firefox browser.

In the past, Mozilla classified mitigation bypasses as low- or moderate-severity issues, but now the organization is going include them is a specific category of bugs eligible for a reward.

The initiative is part of the new Exploit Mitigation Bug Bounty initiative.

“Within Firefox, we have introduced vital security features, exploit mitigations, and defense in depth measures. If you are able to bypass one of these measures, even if you are operating from privileged access within the browser, you are eligible for a bounty.” reads the announcement published by Mozilla.

Bypass mitigation with privileged access can be paid up to $5,000 in case of submission of a high-quality report.

Mozilla explained that if the mitigation is bypassed without privileged access, for example by chaining more than one vulnerability, the researchers will receive a reward for the vulnerability and a 50 percent bonus for the mitigation bypass.

The payout for valid potentially exploitable critical and high security rated client security flaws will range between $3,000 (USD) and $10,000 cash reward. The bounty depends on the impact of the flaw and the quality of the report provided by the researchers.

“The bounty program encourages the earliest possible reporting of potentially exploitable bugs. A bounty is not determined based on the initial submission, but rather on the outcome of the discussion with developers.” continues the announcement. “Improving test cases post-submission, figuring out if an engineer’s speculation is founded or not, or other assistance that helps resolve the issue will increase your bounty payout.”

Mozilla continues to encourage researchers to reports vulnerabilities in the Firefox Nightly solution, the testing and development version of the browser.

Below the list of the mitigations covered by the Exploit Mitigation Bug Bounty:

The mitigations we consider in scope for this bounty are:

  • We separate strings and ArrayBuffers into separate memory arenas from DOM Nodes. A bypass would be arbitrary control of memory layout in the same jemalloc arena as DOM nodes (i.e. full vtable overlayment).
  • We sanitize HTML fragments before using them in privileged contexts. A bypass would be (i) finding a location we should be sanitizing (because it has attacker-controlled data) but aren’t or (ii) bypassing the HTML sanitizer with something that could execute JS3 in Firefox.
  • We disallow eval() from being used in the System Principal context or the Parent Process. A bypass would be identifying a location where we still use eval that isn’t explicitly being allowed4, or how to abuse a location that is allowed.
  • We apply a strong Content Security Policy to all internal about: pages, e.g. about:addons (and double-check we don’t forget). A bypass would be identifying a way to run scripts or inject meaningful content bypassing the CSP of any about: page, excluding already-filed issues.
  • We prevent anything except chrome://, resource:// and about: pages from loading in the parent process. A bypass would be showing a way an attacker-controlled page could be loaded, either by bypassing the checks in that function, or finding a place it is not correctly checked. We have an analogous check for preventing loads in the System Principal Context as well. (Note that Fission has recently caused refactoring to this function, but this mitigation is still in-scope with Fission disabled or enabled with (only) the fission.autostart pref.)
  • We do not allow attacker-controlled JavaScript to run in the Parent Process – whether delivered from the internet or provided from a compromised content process. A bypass would be finding a way to execute javascript of your control in the parent process through any mechanism except PAC scripts.
  • In Bugs 14799601550900, and 1550037 we added support for sharing memory from the parent to child processes where the child process cannot modify the memory, but the parent can. A bypass would be finding a way to modify the memory from the child process.
  • The Firefox UI is written in HTML/JavaScript, which means Firefox runs certain scripts with elevated privileges beyond what is ordinarily available to web content. To prevent privilege escalation attacks, Gecko implements a capability-based script security architecture (primarily implemented in js/xpconnect/wrappers), including special Xray Wrappers which prevent lesser-privileged JavaScript from confusing higher-privileged or differently-privileged Javascript when scripts interact across privilege boundaries. A bypass would be identifying a plausible exploitation scenario that occurs due to missing or incomplete sanitizing across compartments. A scenario is more likely to be considered “plausible” if it was the source of a past bug or is a code pattern we do elsewhere in-tree (the dependencies of bug 929539 show some examples which we previously worked to eliminate).
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment