cbcvebase.
CVE-2005-2871
published 2005-09-09

CVE-2005-2871: Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to…

PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
21.11%
97.3th percentile
Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec.

Affected

8 ranges
VendorProductVersion rangeFixed in
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.milw0rm.com/id.php?id=1224
bytes
0xAD (soft hyphen character used as hostname payload)
  • Detect URLs/hostnames composed entirely of soft-hyphen characters (0xAD) in HTTP requests, which trigger the IDN heap buffer overrun in nsStandardURL::BuildNormalizedSpec via the NormalizeIDN call.
  • Monitor for outbound connections to port 28876, which is the bind-shell port dropped by the exploit's shellcode upon successful exploitation.
  • Detect heap spray patterns: large numbers of Image objects created via setInterval with a malicious src URL containing 0xAD-padded hostnames, consistent with the exploit's technique of continuously creating image objects to trigger the overflow.
  • Heap spray fills memory from approximately 0x02000000 to 0x28081976; memory forensics or crash analysis showing EIP/call targets in this range may indicate exploitation of this CVE.
  • ·The exploit is described as optimized for Firefox and only rarely works against Netscape, so detection tuning may differ by browser target.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.