CVE-2008-0016
published 2008-09-24CVE-2008-0016: Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
43.92%
98.6th percentile
Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 2.0.0.16 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xC3\xBA
- →The exploit delivers a malicious HTML page over HTTP containing a UTF-8 encoded URL (\xC3\xBA trigger bytes) in a hyperlink; detect HTTP responses serving HTML with this specific UTF-8 byte sequence embedded in anchor href attributes. ↗
- →The exploit HTTP server identifies itself with a custom 'Server' header value of 'myRequestHandler'; this non-standard header value can be used as a network detection signal. ↗
- →The exploit uses a shikata_ga_nai encoded egghunter shellcode with egg marker 0x41424142; memory scanning or network content inspection for this egg tag can identify exploitation attempts. ↗
- →The shellcode payload creates a local user account with credentials USER=r00t PASS=r00tr00t!!; post-exploitation detection should look for creation of a local account named 'r00t'. ↗
- →Exploitation targets Firefox versions prior to 2.0.0.17 and SeaMonkey prior to 1.1.12 via a crafted UTF-8 URL in a link; alert on these User-Agent strings combined with suspicious UTF-8 URL content. ↗
- ·The public exploit targets Firefox 2.0.0.16 on Windows XP SP3 x86 specifically; exploitation on other OS/architecture combinations or Firefox versions may require different shellcode or offsets. ↗
- ·The egghunter shellcode is encoded as HTML entities to evade unicode conversion during delivery; signature-based detection must account for HTML entity encoding of the shellcode rather than raw bytes. ↗
- ·According to the exploit author, as of September 2009 there were no other public exploits; however, weaponized versions were available in Canvas and Core Impact commercial frameworks. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox and xulrunner regression
vendor_ubuntu·2008-09-25·CVSS 10.0
[CRITICAL] Firefox and xulrunner regression
Title: Firefox and xulrunner regression
Summary: Firefox and xulrunner regression
USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream
patches introduced a regression in the saved password handling. While
password data was not lost, if a user had saved any passwords with
non-ASCII characters, Firefox could not access the password database.
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Justin Schuh, Tom Cross and Peter Williams discovered errors in the
Firefox URL parsing routines. If a user were tricked into opening a
crafted hyperlink, an attacker could overflow a stack buffer and
execute arbitrary code. (CVE-2008-0016)
It was discovered that the same-origin check in Firefox could be
bypassed. If a user were tricked i
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2008-09-24·CVSS 10.0
CVE-2008-0016 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox vulnerabilities
USN-645-1 fixed vulnerabilities in Firefox and xulrunner for Ubuntu
7.04, 7.10 and 8.04 LTS. This provides the corresponding update for
Ubuntu 6.06 LTS.
Original advisory details:
Justin Schuh, Tom Cross and Peter Williams discovered errors in the
Firefox URL parsing routines. If a user were tricked into opening a
crafted hyperlink, an attacker could overflow a stack buffer and
execute arbitrary code. (CVE-2008-0016)
It was discovered that the same-origin check in Firefox could be
bypassed. If a user were tricked into opening a malicious website,
an attacker may be able to execute JavaScript in the context of a
different website. (CVE-2008-3835)
Several problems were discovered in the JavaScript engine. This
could allow
Ubuntu
Firefox and xulrunner vulnerabilities
vendor_ubuntu·2008-09-24·CVSS 10.0
CVE-2008-0016 [CRITICAL] Firefox and xulrunner vulnerabilities
Title: Firefox and xulrunner vulnerabilities
Summary: Firefox and xulrunner vulnerabilities
Justin Schuh, Tom Cross and Peter Williams discovered errors in the
Firefox URL parsing routines. If a user were tricked into opening a
crafted hyperlink, an attacker could overflow a stack buffer and
execute arbitrary code. (CVE-2008-0016)
It was discovered that the same-origin check in Firefox could be
bypassed. If a user were tricked into opening a malicious website,
an attacker may be able to execute JavaScript in the context of a
different website. (CVE-2008-3835)
Several problems were discovered in the JavaScript engine. This
could allow an attacker to execute scripts from page content with
chrome privileges. (CVE-2008-3836)
Paul Nickerson discovered Firefox did not properly process mouse
Red Hat
Mozilla UTF-8 stack buffer overflow
vendor_redhat·2008-09-23·CVSS 10.0
CVE-2008-0016 [CRITICAL] CWE-121 Mozilla UTF-8 stack buffer overflow
Mozilla UTF-8 stack buffer overflow
Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link.
GHSA
GHSA-7683-prf8-wx5w: Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2
ghsa_unreviewed·2022-05-01
CVE-2008-0016 [HIGH] CWE-119 GHSA-7683-prf8-wx5w: Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2
Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link.
No detection rules found.
http://download.novell.com/Download?buildid=WZXONb-tqBw~http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.htmlhttp://secunia.com/advisories/31984http://secunia.com/advisories/31985http://secunia.com/advisories/32010http://secunia.com/advisories/32012http://secunia.com/advisories/32042http://secunia.com/advisories/32044http://secunia.com/advisories/32082http://secunia.com/advisories/32092http://secunia.com/advisories/32144http://secunia.com/advisories/32185http://secunia.com/advisories/32196http://secunia.com/advisories/32845http://secunia.com/advisories/33433http://secunia.com/advisories/33434http://secunia.com/advisories/34501http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.379422http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.405232http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.412123http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1http://www.debian.org/security/2008/dsa-1649http://www.debian.org/security/2008/dsa-1669http://www.debian.org/security/2009/dsa-1696http://www.debian.org/security/2009/dsa-1697http://www.mandriva.com/security/advisories?name=MDVSA-2008:205http://www.mandriva.com/security/advisories?name=MDVSA-2008:206http://www.mozilla.org/security/announce/2008/mfsa2008-37.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0882.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0908.htmlhttp://www.securityfocus.com/bid/31397http://www.securitytracker.com/id?1020913http://www.ubuntu.com/usn/usn-645-1http://www.ubuntu.com/usn/usn-645-2http://www.vupen.com/english/advisories/2008/2661http://www.vupen.com/english/advisories/2009/0977https://bugzilla.mozilla.org/show_bug.cgi?id=443288https://bugzilla.mozilla.org/show_bug.cgi?id=451617https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11579https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01384.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01403.htmlhttp://download.novell.com/Download?buildid=WZXONb-tqBw~http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00005.htmlhttp://secunia.com/advisories/31984http://secunia.com/advisories/31985http://secunia.com/advisories/32010http://secunia.com/advisories/32012http://secunia.com/advisories/32042http://secunia.com/advisories/32044http://secunia.com/advisories/32082http://secunia.com/advisories/32092http://secunia.com/advisories/32144http://secunia.com/advisories/32185http://secunia.com/advisories/32196http://secunia.com/advisories/32845http://secunia.com/advisories/33433http://secunia.com/advisories/33434http://secunia.com/advisories/34501http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.379422http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.405232http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.412123http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1http://www.debian.org/security/2008/dsa-1649http://www.debian.org/security/2008/dsa-1669http://www.debian.org/security/2009/dsa-1696http://www.debian.org/security/2009/dsa-1697http://www.mandriva.com/security/advisories?name=MDVSA-2008:205http://www.mandriva.com/security/advisories?name=MDVSA-2008:206http://www.mozilla.org/security/announce/2008/mfsa2008-37.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0882.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0908.htmlhttp://www.securityfocus.com/bid/31397http://www.securitytracker.com/id?1020913http://www.ubuntu.com/usn/usn-645-1http://www.ubuntu.com/usn/usn-645-2http://www.vupen.com/english/advisories/2008/2661http://www.vupen.com/english/advisories/2009/0977https://bugzilla.mozilla.org/show_bug.cgi?id=443288https://bugzilla.mozilla.org/show_bug.cgi?id=451617https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11579https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01384.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01403.html
2008-09-24
Published