cbcvebase.
CVE-2011-0065
published 2011-05-07

CVE-2011-0065: Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.66%
99.4th percentile
Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel.

Affected

150 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox<= 3.5.18
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

versionMozilla Firefox 3.6.16
commandfakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); fakeobject.onChannelRedirect(null,new Object,0);
bytes
fakevtable = unescape("\x00%u1000")
bytes
var filler = unescape("%u001c%u1000")
  • Trigger method: exploit calls QueryInterface(nsIChannelEventSink) then onChannelRedirect(null, new Object, 0) on an OBJECT element to free mChannel, creating a dangling pointer reused via the data attribute.
  • Exploit delivery is via a browser drive-by: the server responds with Content-Type: text/html containing the exploit JavaScript targeting Firefox 3.6.16 User-Agent.
  • User-Agent filtering: the exploit checks for 'Intel Mac OS X 10.6' and 'Firefox/3.6.16' in the User-Agent header; requests not matching are dropped. Monitor for these UA strings in web server logs combined with exploit delivery.
  • Heap spray uses 0x0c0c0c0c sled pattern; the fake vtable pointer is placed at 0x10000000 (unescape('\x00%u1000')) and the ROP pivot targets 0x0c0c0048 as the start address.
  • DEP bypass ROP chain uses xul.dll gadget at 0x1052c871 (mov esp,[ecx]) and kernel32 VirtualProtect at 0x7c801ad4; presence of these ROP gadget addresses in memory or network traffic is a strong indicator.
  • Windows 7 variant uses JAVA 6 and below to bypass ASLR; monitor for Firefox 3.6.16 + Java 6 co-execution with suspicious OBJECT element manipulation.
  • Post-exploitation: Metasploit module sets InitialAutoRunScript to 'migrate -f', meaning the payload immediately migrates processes after execution; look for unexpected process spawning from Firefox.
  • ·The Metasploit OSX module targets only Firefox 3.6.16 on Mac OS X 10.6.x (10.6.6, 10.6.7, 10.6.8) and 10.7.x (10.7.2, 10.7.3); the fake vtable addresses (Fakevtable: 0x2727, Fakefunc: 0x2727001c) are hardcoded for x86 OSX targets and will not work on other platforms.
  • ·The Windows XP SP3 ROP chain uses a jmp-esp gadget at 0x1003876B (xul.dll) and VirtualProtect at 0x7c801ad4 (kernel32); these addresses are version/patch-level specific and will differ on other Windows builds.
  • ·The Windows 7 variant (exploit-db 17672) uses a different ROP chain sourced from MSVCR71.dll; gadget addresses (e.g. 0x7c346c0a, 0x7c37a140) are specific to that DLL version.
  • ·JavaScript variable names used in the exploit are randomized at runtime (rand_text_alpha), so static string matching on variable names will not reliably detect this exploit.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.