cbcvebase.
CVE-2009-2477
published 2009-07-15

CVE-2009-2477: js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
42.69%
98.5th percentile
js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.

Affected

1 ranges
VendorProductVersion rangeFixed in
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

pathjs/src/jstracer.cpp
other0x0c0c0c0c
hashshellcode: %uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800
bytes
%u0c0c%u0c0c
  • Trigger is JavaScript use of the escape() function in Firefox 3.5 JIT (TraceMonkey); look for HTML documents combining <P> and <FONT> elements with escape() calls in JavaScript
  • Exploit delivers payload via HTTP response with Content-Type text/html; charset=utf-8 — monitor for browser exploit pages serving heap-spray JavaScript with repeated %u0c0c%u0c0c NOP sleds
  • Heap spray uses 800 containers of block length 0x60000 filled with 0x0c0c0c0c return address on Windows XP; detect large allocation loops in JS with repeated unescape('%u0c0c%u0c0c') patterns
  • The Metasploit module targets Firefox 3.5.0 specifically (ua_minver/ua_maxver both '3.5'); User-Agent filtering on Firefox/3.5 can help scope detections
  • Exploit HTML structure uses randomised variable names but always contains a custom escapeData() function iterating over characters and a sprayready flag; look for this pattern in script blocks
  • ·Vulnerability is specific to Firefox 3.5 before 3.5.1; the JIT compiler (TraceMonkey) must be enabled. Firefox 3.5.1 and later are not affected.
  • ·Metasploit module was only tested on Windows but notes it should work on other platforms; the Mac OS X target uses a different Ret value (0x41414141) and much larger container count (800000), so heap-spray thresholds differ per platform
  • ·A related exploit (EDB-40936) targets Naenara Browser 3.5 (RedStar OS 3.0 Desktop), a North Korean Firefox fork based on the same vulnerable codebase; detection rules should account for this variant

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.