cbcvebase.
CVE-2006-0295
published 2006-02-02

CVE-2006-0295: Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the…

PriorityP342medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
70.74%
99.3th percentile
Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 1.5.dfsg+1.5.0.1-1 (sid)firefox 1.5.dfsg+1.5.0.1-1 (sid)
debianthunderbird< firefox 1.5.dfsg+1.5.0.1-1 (sid)firefox 1.5.dfsg+1.5.0.1-1 (sid)
mozillafirefox
mozillaseamonkey
mozillathunderbird
mozillathunderbird>= 0 < 1.5.0.2-11.5.0.2-1
mozillathunderbird>= 0 < 1.5.0.2-11.5.0.2-1
mozillathunderbird>= 0 < 1.5.0.2-11.5.0.2-1
mozillathunderbird>= 0 < 1.5.0.2-11.5.0.2-1

Detection & IOCsextracted from sources · hover to see the quote

commandlocation.QueryInterface(eval("Components.interfaces.nsIClassInfo"))
  • Detect exploit delivery page by looking for the JavaScript pattern calling location.QueryInterface with Components.interfaces.nsIClassInfo in HTML responses served as text/html
  • Exploit uses heap spray via a large JavaScript string (FillHeap function) to fill nearly a gigabyte of memory with NOP sled and payload before triggering the QueryInterface corruption — look for abnormally large JS heap allocations in browser process memory
  • Exploit server responds with Content-Type: text/html and optionally Content-Encoding: gzip and Transfer-Encoding: chunked — monitor for chunked/gzip HTML responses containing QueryInterface JS patterns
  • Vulnerable User-Agent strings to flag: Firefox/1.5 (matching regex /\/1\.5$/) on Linux or Mac OS X — the exploit module checks for this exact version string to confirm target is vulnerable
  • Shellcode is encoded using JavaScript unescape() %u-escape sequences — look for large unescape() blobs in script content as a heap-spray indicator
  • ·Vulnerability only affects Firefox 1.5 and SeaMonkey before 1.0; Firefox 1.0 and Mozilla Suite 1.7 are NOT vulnerable — scope detection rules accordingly
  • ·Thunderbird 1.5 is only vulnerable if JavaScript is enabled in mail, which is NOT the default — detections targeting Thunderbird should account for this non-default configuration
  • ·Metasploit exploit targets only Mac OS X (PPC) and Linux (x86) — no Windows target exists in the public exploit modules, so Windows detections for this specific exploit are lower priority

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vendor_debian5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.