CVE-2019-17026 PoC — Mozilla Firefox、Firefox ESR和Thunderbird IonMonkey JIT compiler 安全漏洞

Source

https://github.com/maxpl0it/CVE-2019-17026-Exploit

Associated Vulnerability

Title:Mozilla Firefox、Firefox ESR和Thunderbird IonMonkey JIT compiler 安全漏洞 (CVE-2019-17026)
Description:Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.

Description

An exploit for CVE-2019-17026. It pops xcalc and was tested on Ubuntu (x64).

Readme

# CVE-2019-17026 - A Firefox JIT bug

- Original bug caught in the wild by [Qihoo 360](https://blogs.360.cn/post/apt-c-06_0day.html).
- Exploit written by [maxpl0it](https://twitter.com/maxpl0it).
- Works on Firefox < 72.0.1

This is an exploit for CVE-2190-17026:
*IonMonkey type confusion with StoreElementHole and FallibleStoreElement*

This exploit does not use a sandbox escape, so for testing the *security.sandbox.content.level* attribute in *about:config* needs to be set to 0. It should be possible to chain this with [CVE-2020-0674](https://github.com/maxpl0it/CVE-2020-0674-Exploit) via [PAC](https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html) to get a sandbox escape on Windows.

The writeup for this vulnerability and the steps taken to exploit it can be found [here.](https://labs.f-secure.com/blog/exploiting-cve-2019-17026-a-firefox-jit-bug/)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!