cbcvebase.
CVE-2005-2265
published 2005-07-13

CVE-2005-2265: Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and…

PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
68.10%
99.2th percentile
Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla
mozillamozilla

Detection & IOCsextracted from sources · hover to see the quote

commandlocation.href="javascript:void (new InstallVersion());"
command(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
other0x0c0c0c0c
otherheapBlockSize=0x400000
  • Detect exploit attempts by monitoring for JavaScript calls to InstallVersion.compareTo() with a non-string (object) argument, particularly in browser traffic. The Metasploit module uses a vuln_test check for the presence of InstallVersion in the browser context.
  • Exploit HTML pages deliver a heap spray targeting address 0x0c0c0c0c (newer variant) or 0x12000000 (older variant) with a block size of 0x400000. Network signatures should look for large repeated unescape() blocks in HTML responses served to Firefox/Mozilla user-agents.
  • The exploit page redirects the browser via javascript:void(new InstallVersion()) immediately on body load before triggering the compareTo() crash. Detecting this javascript: URI pattern in location.href assignments is a useful behavioral indicator.
  • The exploit targets Firefox UA versions 1.0 through 1.7.10 on Windows (x86). Restrict or alert on requests from these specific Firefox/Mozilla user-agent version ranges.
  • The server-side exploit module responds with Content-Type: text/html. Correlate this with the heap-spray JavaScript pattern (repeated unescape calls, InstallVersion references) to build a network detection signature.
  • ·The older Metasploit variant (exploit-db 9947) uses a multi-address heap spray targeting 0x12000000, 0x11C0002C, 0x1200002C, and 0x1180002C, while the newer variant (exploit-db 16306) simplifies to a single ret address of 0x0c0c0c0c. Detection signatures should account for both spray address sets.
  • ·The exploit payload space is limited to 400 bytes with null bytes as bad characters, which constrains shellcode options and may affect signature matching on payload content.
  • ·Affected versions are Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2. Patched versions are not vulnerable; version-based detection should be scoped accordingly.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.