SSD Advisory – Firefox Sandbox Infoleak From Uninitialized Handle In CrossCall
Vulnerability summary The crosscall FilesystemDispatcher::NtOpenFile can leak an uninitialized handle value to a renderer due to an incorrect return value in FileSystemPolicy::OpenFileAction. The crosscall NtOpenKey seems to also suffer from the exact same bug. In this advisory, we show how to leak a function pointer stored in the broker’s stack (corresponding, in this case, to …
SSD Advisory – Firefox Sandbox Infoleak From Uninitialized Handle In CrossCall Read More »
