CVE-2011-0073
published 2011-05-07CVE-2011-0073: Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.00%
99.3th percentile
Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."
Affected
150 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 3.5.18 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target Firefox versions 3.5.x <= 3.5.17 and 3.6.x <= 3.6.16 on Windows; exploit checks User-Agent for 'Windows NT 5.1' or Java availability to select attack path ↗
- →Exploit delivers a XUL document (Content-Type: application/vnd.mozilla.xul+xml) followed by a JavaScript file; monitor HTTP responses serving this MIME type from untrusted sources ↗
- →Exploit uses heap spray with configurable base offset 0x0F000000, block size 0x100000, and 200 spray blocks; look for large repeated heap allocations in Firefox JS engine around this address range ↗
- →Exploit uses Java ROP gadgets to bypass DEP/ASLR; presence of Java being enabled (navigator.javaEnabled()) is used as a vulnerability check condition ↗
- →Exploit uses 'migrate -f' as InitialAutoRunScript, indicating post-exploitation process migration; monitor for unexpected process spawning from Firefox ↗
- →The exploit triggers the vulnerability via invalidateSelection on a nsTreeSelection element; JavaScript calling invalidateSelection on tree widgets in Firefox should be treated as suspicious ↗
- →Known Java ROP gadget offsets used by the exploit: VirtualProtect at 0x7C37A140, LoadLibraryA at 0x7C37A0B8, GetProcAddress at 0x7C37A00C (Java Runtime 7.10.3052.4) ↗
- ·The direct (non-Java) ROP path using Firefox Runtime offsets (VPOffset 0x781A91F8) will fail against ASLR; the exploit is only reliable on Windows XP (direct) or when Java is enabled (for ASLR bypass) ↗
- ·The Abysssec public exploit was tested only on Windows XP and Windows 7; reliability on other platforms is unconfirmed ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird regression
vendor_ubuntu·2011-06-06·CVSS 10.0
[CRITICAL] Thunderbird regression
Title: Thunderbird regression
Summary: An empty menu bar sometimes appeared after upgrade in USN-1122-2
USN-1122-2 fixed vulnerabilities in Thunderbird on Ubuntu 11.04. A
regression was introduced which caused Thunderbird to display an empty menu
bar. This update fixes the problem. We apologize for the inconvenience.
Original advisory details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer disc
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2011-05-05·CVSS 10.0
CVE-2011-0065 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird could be made to run programs as your login if it opened
specially crafted mail.
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0070)
Bob Clary, Henri Siv
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2011-05-05·CVSS 10.0
CVE-2011-0065 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Thunderbird could be made to run programs as your login if it opened
specially crafted mail.
USN-1122-1 fixed vulnerabilities in Thunderbird for Lucid and Maverick.
This update provides the corresponding fixes for Natty.
Original advisory details:
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Thunderbird. (CVE-2011-0081)
It was discovered that Thunderbird incorrectly handled certain JavaScript
requests. If JavaScript were enabled, an attacker could exploit this to
possibly run arbitrary code as the user running Thunderbird.
(CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a cer
Ubuntu
Xulrunner vulnerabilities
vendor_ubuntu·2011-04-30
CVE-2011-0077 Xulrunner vulnerabilities
Title: Xulrunner vulnerabilities
Summary: Multiple xulrunner-1.9.1 vulnerabilities
A large number of security issues were discovered in the Gecko rendering
engine. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
Instructions: After a standard system update you need to restart any applications which
use Xulrunner to make all the necessary changes.
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2011-04-29·CVSS 10.0
CVE-2011-0081 [CRITICAL] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Multiple vulnerabilities in Firefox and Xulrunner
It was discovered that there was a vulnerability in the memory handling of
certain types of content. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0081)
It was discovered that Firefox incorrectly handled certain JavaScript
requests. An attacker could exploit this to possibly run arbitrary code as
the user running Firefox. (CVE-2011-0069)
Ian Beer discovered a vulnerability in the memory handling of a certain
types of documents. An attacker could exploit this to possibly run
arbitrary code as the user running Firefox. (CVE-2011-0070)
Bob Clary, Henri Sivonen, Marco Bonardo, Mats Palmgren and Jesse Ruderman
discovered several memo
Red Hat
Mozilla dangling pointer flaw (MFSA 2011-13)
vendor_redhat·2011-04-28·CVSS 10.0
CVE-2011-0073 [CRITICAL] Mozilla dangling pointer flaw (MFSA 2011-13)
Mozilla dangling pointer flaw (MFSA 2011-13)
Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."
GHSA
GHSA-rcq6-xcmq-vpwm: Mozilla Firefox before 3
ghsa_unreviewed·2022-05-17
CVE-2011-0073 [HIGH] CWE-20 GHSA-rcq6-xcmq-vpwm: Mozilla Firefox before 3
Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, does not properly use nsTreeRange data structures, which allows remote attackers to execute arbitrary code via unspecified vectors that lead to a "dangling pointer."
No detection rules found.
Exploit-DB
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (Metasploit) (1)
exploitdb·2011-07-10
CVE-2011-0073 Mozilla Firefox - 'nsTreeRange' Dangling Pointer (Metasploit) (1)
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (Metasploit) (1)
---
##
# $Id: mozilla_nstreerange.rb 13148 2011-07-10 21:10:45Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::FF,
:ua_minver => "3.5",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
:vuln_test => "if (navigator.userAgent.indexOf('Windows NT 5.1') != -1 || navigator.javaEnabled()) { is_vuln = true; }",
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox "nsTreeRange
Exploit-DB
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (2)
exploitdb·2011-06-20
CVE-2011-0073 Mozilla Firefox - 'nsTreeRange' Dangling Pointer (2)
Mozilla Firefox - 'nsTreeRange' Dangling Pointer (2)
---
Advisory :
Abysssec Public Exploit :
This module exploits a code execution vulnerability in Mozilla
Firefox <= 3.6.16 caused by nsTreeSelection element. The specific flaw
exists within the way Firefox handles user defined functions of
a nsTreeSelection element. When executing the function
invalidateSelection it is possible to free the nsTreeSelection object
that the function operates on. Any further operations on the freed
object can result in remote code execution.this exploit module is only
tested on win7 and used a Another JAVA ROPto defeat DEP/ASLR (due to
there is no more non-aslr module in Firefox) and in my tests works
reliably on Windows7.
there is two version of this exploit XP and 7 and both use different
method that
Metasploit
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
metasploit
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore.
http://downloads.avaya.com/css/P8/documents/100134543http://downloads.avaya.com/css/P8/documents/100144158http://securityreason.com/securityalert/8310http://www.debian.org/security/2011/dsa-2227http://www.debian.org/security/2011/dsa-2228http://www.debian.org/security/2011/dsa-2235http://www.mandriva.com/security/advisories?name=MDVSA-2011:079http://www.mozilla.org/security/announce/2011/mfsa2011-13.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=630919https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14020http://downloads.avaya.com/css/P8/documents/100134543http://downloads.avaya.com/css/P8/documents/100144158http://securityreason.com/securityalert/8310http://www.debian.org/security/2011/dsa-2227http://www.debian.org/security/2011/dsa-2228http://www.debian.org/security/2011/dsa-2235http://www.mandriva.com/security/advisories?name=MDVSA-2011:079http://www.mozilla.org/security/announce/2011/mfsa2011-13.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=630919https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14020
2011-05-07
Published