cbcvebase.
CVE-2011-2371
published 2011-06-30

CVE-2011-2371: Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through…

PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.69%
99.5th percentile
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object.

Affected

238 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox<= 3.6.17
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

filenameJs3250.dll
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17974.zip
other0x7C370EEF (MSVCR71.dll LEA ESP,[ESI-3] RETN pivot)
other0x7c346c0a (MSVCR71.dll POP EAX # RETN)
other0x7c37591f (MSVCR71.dll PUSH ESP # ... # POP ECX # POP EBP # RETN)
other0x7c34b8d7 (MSVCR71.dll POP EDI # RETN)
other0x7c344f87 (MSVCR71.dll POP EDX # RETN)
other0x7c351eb1 (MSVCR71.dll NEG EDX # RETN)
other0x7c378c81 (MSVCR71.dll PUSHAD # ADD AL,0EF # RETN)
otherHeap spray address region: 0x0c0c0c0c
bytes
PrependEncoder: \xbc\x0c\x0c\x0c\x0c
  • Exploit requires a Java-enabled browser; presence of a Java applet alongside Array.reduceRight() JavaScript is a strong indicator of exploitation attempt.
  • Metasploit module fingerprints the User-Agent for Firefox 3.6.16 or 3.6.17 before serving the exploit payload; detection of exploit delivery can key on this UA filter.
  • The exploit uses MSVCR71.dll ROP gadgets for DEP/ASLR bypass; presence of MSVCR71.dll ROP chains in memory or shellcode is indicative of this exploit.
  • The exploit sets a JavaScript Array length to a large value (0x83000006 observed as signed) to trigger the integer overflow in array_reduceRight; monitor for abnormally large Array length values in JavaScript.
  • Trend Micro Deep Security IDS/IPS rule 1004722 detects exploitation of this vulnerability.
  • Heap spray targets address 0x0c0c0c0c; memory scanning for repeated 0x0c0c0c0c patterns in browser heap is indicative of this exploit's spray technique.
  • ·The Metasploit module explicitly checks for Firefox 3.6.16 or 3.6.17 User-Agent and returns 404 for other browsers, limiting exploit delivery to those specific versions.
  • ·ROP gadget addresses are hardcoded for MSVCR71.dll on Windows XP/Vista/7; these offsets will not be valid on systems with a different MSVCR71.dll base or version.
  • ·The exploit requires a longer amount of time compared to a typical browser exploit to gain control of the machine.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.