CVE-2005-2265
published 2005-07-13CVE-2005-2265: Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and…
PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
68.10%
99.2th percentile
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
| mozilla | mozilla | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by monitoring for JavaScript calls to InstallVersion.compareTo() with a non-string (object) argument, particularly in browser traffic. The Metasploit module uses a vuln_test check for the presence of InstallVersion in the browser context. ↗
- →Exploit HTML pages deliver a heap spray targeting address 0x0c0c0c0c (newer variant) or 0x12000000 (older variant) with a block size of 0x400000. Network signatures should look for large repeated unescape() blocks in HTML responses served to Firefox/Mozilla user-agents. ↗
- →The exploit page redirects the browser via javascript:void(new InstallVersion()) immediately on body load before triggering the compareTo() crash. Detecting this javascript: URI pattern in location.href assignments is a useful behavioral indicator. ↗
- →The exploit targets Firefox UA versions 1.0 through 1.7.10 on Windows (x86). Restrict or alert on requests from these specific Firefox/Mozilla user-agent version ranges. ↗
- →The server-side exploit module responds with Content-Type: text/html. Correlate this with the heap-spray JavaScript pattern (repeated unescape calls, InstallVersion references) to build a network detection signature. ↗
- ·The older Metasploit variant (exploit-db 9947) uses a multi-address heap spray targeting 0x12000000, 0x11C0002C, 0x1200002C, and 0x1180002C, while the newer variant (exploit-db 16306) simplifies to a single ret address of 0x0c0c0c0c. Detection signatures should account for both spray address sets. ↗
- ·The exploit payload space is limited to 400 bytes with null bytes as bad characters, which constrains shellcode options and may affect signature matching on payload content. ↗
- ·Affected versions are Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2. Patched versions are not vulnerable; version-based detection should be scoped accordingly. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pgg-4c5c-9j5p: Firefox before 1
ghsa_unreviewed·2022-05-01
CVE-2005-2265 [MEDIUM] GHSA-5pgg-4c5c-9j5p: Firefox before 1
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.
Ubuntu
Mozilla Thunderbird vulnerabilities
vendor_ubuntu·2005-08-01
CVE-2005-2353 Mozilla Thunderbird vulnerabilities
Title: Mozilla Thunderbird vulnerabilities
Summary: Mozilla Thunderbird vulnerabilities
Vladimir V. Perepelitsa discovered a bug in Thunderbird's handling of anonymous
functions during regular expression string replacement. A malicious HTML email
could exploit this to capture a random block of client memory. (CAN-2005-0989)
Georgi Guninski discovered that the types of certain XPInstall related
JavaScript objects were not sufficiently validated when they were called. This
could be exploited by malicious HTML email content to crash Thunderbird or even
execute arbitrary code with the privileges of the user. (CAN-2005-1159)
Thunderbird did not properly verify the values of XML DOM nodes. By tricking
the user to perform a common action like clicking on a link or opening the
context menu, a
Ubuntu
Ubuntu 4.10 update for Firefox vulnerabilities
vendor_ubuntu·2005-07-28
CVE-2004-1156 Ubuntu 4.10 update for Firefox vulnerabilities
Title: Ubuntu 4.10 update for Firefox vulnerabilities
Summary: Ubuntu 4.10 update for Firefox vulnerabilities
USN-149-1 fixed some vulnerabilities in the Ubuntu 5.04 (Hoary
Hedgehog) version of Firefox. The version shipped with Ubuntu 4.10
(Warty Warthog) is also vulnerable to these flaws, so it needs to be
upgraded as well. Please see
http://www.ubuntulinux.org/support/documentation/usn/usn-149-1
for the original advisory.
This update also fixes several older vulnerabilities; Some of them
could be exploited to execute arbitrary code with full user privileges
if the user visited a malicious web site. (MFSA-2005-01 to
MFSA-2005-44; please see the following web site for details:
http://www.mozilla.org/projects/security/known-vulnerabilities.html)
Instructions: In general, a standard sy
Ubuntu
Mozilla vulnerabilities
vendor_ubuntu·2005-07-27
CVE-2005-2266 Mozilla vulnerabilities
Title: Mozilla vulnerabilities
Summary: Mozilla vulnerabilities
Secunia.com reported that one of the recent security patches in
Firefox reintroduced the frame injection patch that was originally
known as CAN-2004-0718. This allowed a malicious web site to spoof the
contents of other web sites. (CAN-2005-1937)
It was discovered that a malicious website could inject arbitrary
scripts into a target site by loading it into a frame and navigating
back to a previous Javascript URL that contained an eval() call. This
could be used to steal cookies or other confidential data from the
target site. (MFSA 2005-42)
Michael Krax, Georgi Guninski, and L. David Baron found that the
security checks that prevent script injection could be bypassed by
wrapping a javascript: url in another pseudo-protocol
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2005-07-21
CVE-2005-1937 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox vulnerabilities
Secunia.com reported that one of the recent security patches in
Firefox reintroduced the frame injection patch that was originally
known as CAN-2004-0718. This allowed a malicious web site to spoof the
contents of other web sites. (CAN-2005-1937)
In several places the browser user interface did not correctly
distinguish between true user events, such as mouse clicks or
keystrokes, and synthetic events genenerated by web content. This
could be exploited by malicious web sites to generate e. g. mouse
clicks that install malicious plugins. Synthetic events are now
prevented from reaching the browser UI entirely. (CAN-2005-2260)
Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. Thi
Red Hat
security flaw
vendor_redhat·2005-07-12·CVSS 5.0
CVE-2005-2265 [MEDIUM] security flaw
security flaw
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.
No detection rules found.
Exploit-DB
Mozilla Suite/Firefox - InstallVersion->compareTo() Code Execution (Metasploit)
exploitdb·2010-09-20
CVE-2005-2265 Mozilla Suite/Firefox - InstallVersion->compareTo() Code Execution (Metasploit)
Mozilla Suite/Firefox - InstallVersion->compareTo() Code Execution (Metasploit)
---
##
# $Id: mozilla_compareto.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "1.0",
:ua_maxver => "1.7.10",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Suite/Firefox InstallV
Exploit-DB
Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)
exploitdb·2005-07-13
CVE-2005-2265 Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)
Mozilla Suite/Firefox HttpClients::FF,
:ua_ver => "1.0",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution',
'Description' => %q{
This module exploits a code execution vulnerability in the Mozilla
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
module is a direct port of Aviv Raff's HTML PoC.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'Aviv Raff '],
'Version' => '$Revision$',
'References' =>
[
['CVE', '2005-2265'],
['OSVDB', '17968'],
['BID', '14242'],
['URL', 'http://www.mozilla.org/secur
Metasploit
Mozilla Suite/Firefox compareTo() Code Execution
metasploit
Mozilla Suite/Firefox compareTo() Code Execution
Mozilla Suite/Firefox compareTo() Code Execution
This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC.
http://secunia.com/advisories/16043http://secunia.com/advisories/16044http://secunia.com/advisories/16059http://secunia.com/advisories/19823http://www.ciac.org/ciac/bulletins/p-252.shtmlhttp://www.debian.org/security/2005/dsa-810http://www.mozilla.org/security/announce/mfsa2005-50.htmlhttp://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlhttp://www.novell.com/linux/security/advisories/2005_18_sr.htmlhttp://www.novell.com/linux/security/advisories/2005_45_mozilla.htmlhttp://www.novell.com/linux/security/advisories/2006_04_25.htmlhttp://www.redhat.com/support/errata/RHSA-2005-586.htmlhttp://www.redhat.com/support/errata/RHSA-2005-587.htmlhttp://www.redhat.com/support/errata/RHSA-2005-601.htmlhttp://www.securityfocus.com/bid/14242http://www.vupen.com/english/advisories/2005/1075https://bugzilla.mozilla.org/show_bug.cgi?id=295854https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100008https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10397https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A417https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A781http://secunia.com/advisories/16043http://secunia.com/advisories/16044http://secunia.com/advisories/16059http://secunia.com/advisories/19823http://www.ciac.org/ciac/bulletins/p-252.shtmlhttp://www.debian.org/security/2005/dsa-810http://www.mozilla.org/security/announce/mfsa2005-50.htmlhttp://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlhttp://www.novell.com/linux/security/advisories/2005_18_sr.htmlhttp://www.novell.com/linux/security/advisories/2005_45_mozilla.htmlhttp://www.novell.com/linux/security/advisories/2006_04_25.htmlhttp://www.redhat.com/support/errata/RHSA-2005-586.htmlhttp://www.redhat.com/support/errata/RHSA-2005-587.htmlhttp://www.redhat.com/support/errata/RHSA-2005-601.htmlhttp://www.securityfocus.com/bid/14242http://www.vupen.com/english/advisories/2005/1075https://bugzilla.mozilla.org/show_bug.cgi?id=295854https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160202https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100008https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10397https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A417https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A781
2005-07-13
Published