cbcvebase.
CVE-2011-0073
published 2011-05-07

CVE-2011-0073: Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.00%
99.3th percentile
Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."

Affected

150 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox<= 3.5.18
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-2.zip
filenamensTreeRange_XP.zip
filenamensTreeRange_7.zip
otherContent-Type: application/vnd.mozilla.xul+xml
  • Target Firefox versions 3.5.x <= 3.5.17 and 3.6.x <= 3.6.16 on Windows; exploit checks User-Agent for 'Windows NT 5.1' or Java availability to select attack path
  • Exploit delivers a XUL document (Content-Type: application/vnd.mozilla.xul+xml) followed by a JavaScript file; monitor HTTP responses serving this MIME type from untrusted sources
  • Exploit uses heap spray with configurable base offset 0x0F000000, block size 0x100000, and 200 spray blocks; look for large repeated heap allocations in Firefox JS engine around this address range
  • Exploit uses Java ROP gadgets to bypass DEP/ASLR; presence of Java being enabled (navigator.javaEnabled()) is used as a vulnerability check condition
  • Exploit uses 'migrate -f' as InitialAutoRunScript, indicating post-exploitation process migration; monitor for unexpected process spawning from Firefox
  • The exploit triggers the vulnerability via invalidateSelection on a nsTreeSelection element; JavaScript calling invalidateSelection on tree widgets in Firefox should be treated as suspicious
  • Known Java ROP gadget offsets used by the exploit: VirtualProtect at 0x7C37A140, LoadLibraryA at 0x7C37A0B8, GetProcAddress at 0x7C37A00C (Java Runtime 7.10.3052.4)
  • ·The direct (non-Java) ROP path using Firefox Runtime offsets (VPOffset 0x781A91F8) will fail against ASLR; the exploit is only reliable on Windows XP (direct) or when Java is enabled (for ASLR bypass)
  • ·The Abysssec public exploit was tested only on Windows XP and Windows 7; reliability on other platforms is unconfirmed

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.