CVE-2006-0295
published 2006-02-02CVE-2006-0295: Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the…
PriorityP342medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
70.74%
99.3th percentile
Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 1.5.dfsg+1.5.0.1-1 (sid) | firefox 1.5.dfsg+1.5.0.1-1 (sid) |
| debian | thunderbird | < firefox 1.5.dfsg+1.5.0.1-1 (sid) | firefox 1.5.dfsg+1.5.0.1-1 (sid) |
| mozilla | firefox | — | — |
| mozilla | seamonkey | — | — |
| mozilla | thunderbird | — | — |
| mozilla | thunderbird | >= 0 < 1.5.0.2-1 | 1.5.0.2-1 |
| mozilla | thunderbird | >= 0 < 1.5.0.2-1 | 1.5.0.2-1 |
| mozilla | thunderbird | >= 0 < 1.5.0.2-1 | 1.5.0.2-1 |
| mozilla | thunderbird | >= 0 < 1.5.0.2-1 | 1.5.0.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit delivery page by looking for the JavaScript pattern calling location.QueryInterface with Components.interfaces.nsIClassInfo in HTML responses served as text/html ↗
- →Exploit uses heap spray via a large JavaScript string (FillHeap function) to fill nearly a gigabyte of memory with NOP sled and payload before triggering the QueryInterface corruption — look for abnormally large JS heap allocations in browser process memory ↗
- →Exploit server responds with Content-Type: text/html and optionally Content-Encoding: gzip and Transfer-Encoding: chunked — monitor for chunked/gzip HTML responses containing QueryInterface JS patterns ↗
- →Vulnerable User-Agent strings to flag: Firefox/1.5 (matching regex /\/1\.5$/) on Linux or Mac OS X — the exploit module checks for this exact version string to confirm target is vulnerable ↗
- →Shellcode is encoded using JavaScript unescape() %u-escape sequences — look for large unescape() blobs in script content as a heap-spray indicator ↗
- ·Vulnerability only affects Firefox 1.5 and SeaMonkey before 1.0; Firefox 1.0 and Mozilla Suite 1.7 are NOT vulnerable — scope detection rules accordingly ↗
- ·Thunderbird 1.5 is only vulnerable if JavaScript is enabled in mail, which is NOT the default — detections targeting Thunderbird should account for this non-default configuration ↗
- ·Metasploit exploit targets only Mac OS X (PPC) and Linux (x86) — no Windows target exists in the public exploit modules, so Windows detections for this specific exploit are lower priority ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv5.1MEDIUM
vendor_debian5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggv2-xg5v-qq68: Mozilla Firefox 1
ghsa_unreviewed·2022-05-01
CVE-2006-0295 [MEDIUM] GHSA-ggv2-xg5v-qq68: Mozilla Firefox 1
Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.
OSV
CVE-2006-0295: Mozilla Firefox 1
osv·2006-02-02·CVSS 5.1
CVE-2006-0295 [MEDIUM] CVE-2006-0295: Mozilla Firefox 1
Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.
Debian
CVE-2006-0295: firefox - Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMo...
vendor_debian·2006·CVSS 5.1
CVE-2006-0295 [MEDIUM] CVE-2006-0295: firefox - Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMo...
Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.
Scope: local
sid: resolved (fixed in 1.5.dfsg+1.5.0.1-1)
No detection rules found.
Exploit-DB
Mozilla Firefox - location.QueryInterface() Code Execution (Metasploit)
exploitdb·2010-09-20
CVE-2006-0295 Mozilla Firefox - location.QueryInterface() Code Execution (Metasploit)
Mozilla Firefox - location.QueryInterface() Code Execution (Metasploit)
---
##
# $Id: firefox_queryinterface.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Firefox location.QueryInterface() Code Execution',
'Description' => %q{
This module exploits a code execution vulnerability in the Mozilla
Firefox browser. To reliably exploit this vulnerability, we need to fill
almost a gigabyte of memory with our nop sled and payload. This module has
been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
}
Exploit-DB
Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)
exploitdb·2006-02-08
CVE-2006-0295 Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)
Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::firefox_queryinterface_osx;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Firefox location.QueryInterface() Code Execution (Mac OS X
Exploit-DB
Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)
exploitdb·2006-02-07
CVE-2006-0295 Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)
Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::firefox_queryinterface_linux;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Firefox location.QueryInterface() Code Execution (Linu
Metasploit
Firefox location.QueryInterface() Code Execution
metasploit
Firefox location.QueryInterface() Code Execution
Firefox location.QueryInterface() Code Execution
This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
http://secunia.com/advisories/18700http://secunia.com/advisories/18704http://secunia.com/advisories/22065http://securitytracker.com/id?1015570http://www.kb.cert.org/vuls/id/759273http://www.mozilla.org/security/announce/2006/mfsa2006-04.htmlhttp://www.securityfocus.com/archive/1/446657/100/200/threadedhttp://www.securityfocus.com/bid/16476http://www.us-cert.gov/cas/techalerts/TA06-038A.htmlhttp://www.vupen.com/english/advisories/2006/0413http://www.vupen.com/english/advisories/2006/3749https://bugzilla.mozilla.org/show_bug.cgi?id=319296https://exchange.xforce.ibmcloud.com/vulnerabilities/24433https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1562http://secunia.com/advisories/18700http://secunia.com/advisories/18704http://secunia.com/advisories/22065http://securitytracker.com/id?1015570http://www.kb.cert.org/vuls/id/759273http://www.mozilla.org/security/announce/2006/mfsa2006-04.htmlhttp://www.securityfocus.com/archive/1/446657/100/200/threadedhttp://www.securityfocus.com/bid/16476http://www.us-cert.gov/cas/techalerts/TA06-038A.htmlhttp://www.vupen.com/english/advisories/2006/0413http://www.vupen.com/english/advisories/2006/3749https://bugzilla.mozilla.org/show_bug.cgi?id=319296https://exchange.xforce.ibmcloud.com/vulnerabilities/24433https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1562
2006-02-02
Published