CVE-2011-3658
published 2011-12-21CVE-2011-3658: The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows…
PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.88%
99.3th percentile
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | seamonkey | — | — |
| mozilla | thunderbird | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other0x7c45abdf XCHG EAX,ESP # ADD [EAX],EAX # ADD ESP,48h # RETN 28 [MOZCPP19.DLL] (Stack->Heap Flip)↗
bytes↗
\x81\xc4\x24\xfa\xff\xff
- →Exploit targets Firefox 7 and 8 (<=8.0.1) on Windows XP only; User-Agent strings matching 'Firefox/7.0', 'Firefox/8.0', or 'Firefox/8.0.1' combined with 'NT 5.1' are used by the exploit to select the target. ↗
- →The exploit delivers a malicious HTML page with Content-Type text/html; monitor for suspicious SVG-containing HTML responses served to vulnerable Firefox versions. ↗
- →The vulnerability is triggered by removing SVG elements inside a DOMAttrModified event handler; look for JavaScript that registers DOMAttrModified listeners and removes SVG child elements within them. ↗
- →The exploit uses a classic heap-spray to place shellcode at 0x0C0C0C0C; detect large repetitive memory allocations filling address space toward this address in browser processes. ↗
- →The exploit uses EXITFUNC=process and immediately migrates the injected process; monitor for unexpected child process spawning or process migration from firefox.exe shortly after page load. ↗
- →ROP chains rely exclusively on MOZCRT19.dll and MOZCPP19.DLL gadgets; presence of these DLLs in a process with ROP-style stack frames (e.g., PUSHAD # RETN sequences) is a strong indicator of exploitation. ↗
- →Bad characters for the payload are \x00\x0a\x0d\x34; encoded shellcode in exploit traffic will not contain these bytes, which can help distinguish exploit payloads from benign content. ↗
- ·The vulnerability only affects Firefox 7 and 8 (<=8.0.1), Thunderbird 8.0, and SeaMonkey 2.5; later versions are not affected. ↗
- ·The public Metasploit exploit only targets Windows XP; other OS targets are not supported and the module will return 404 for unsupported OS/browser combinations. ↗
- ·Red Hat confirmed this issue did not affect firefox, thunderbird, or seamonkey as shipped with RHEL 4, 5, and 6. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pmq4-qjc4-mpxw: The SVG implementation in Mozilla Firefox 8
ghsa_unreviewed·2022-05-14
CVE-2011-3658 [HIGH] GHSA-pmq4-qjc4-mpxw: The SVG implementation in Mozilla Firefox 8
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2012-03-23·CVSS 7.5
CVE-2011-3658 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
USN-1401-1 fixed vulnerabilities in Xulrunner. This update provides the
corresponding fixes for Thunderbird.
Original advisory details:
It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. If the user were tricked into
opening a specially crafted page, an attacker could exploit this to cause a
denial of service via application crash. (CVE-2011-3658)
Atte Kettunen discovered a use-after-free vulnerability in the Gecko
Rendering Engine's handling of SVG animations. An attacker could
potentially exploit this to execute arbitrary code with the privileges of
the user invo
Ubuntu
Xulrunner vulnerabilities
vendor_ubuntu·2012-03-19·CVSS 7.5
CVE-2011-3658 [HIGH] Xulrunner vulnerabilities
Title: Xulrunner vulnerabilities
Summary: Several security issues were fixed in Firefox.
It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. If the user were tricked into
opening a specially crafted page, an attacker could exploit this to cause a
denial of service via application crash. (CVE-2011-3658)
Atte Kettunen discovered a use-after-free vulnerability in the Gecko
Rendering Engine's handling of SVG animations. An attacker could
potentially exploit this to execute arbitrary code with the privileges of
the user invoking the Xulrunner based application. (CVE-2012-0457)
Atte Kettunen discovered an out of bounds read vulnerability in the Gecko
Rendering Engin
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2012-01-24·CVSS 7.5
CVE-2011-3658 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler,
David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia
Knous, and Rober Longson discovered several memory safety issues which
could possibly be exploited to crash Thunderbird or execute arbitrary code
as the user that invoked Thunderbird. (CVE-2011-3660)
Aki Helin discovered a crash in the YARR regular expression library that
could be triggered by javascript in web content. (CVE-2011-3661)
It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
exploi
Ubuntu
Mozvoikko and ubufox update
vendor_ubuntu·2012-01-06·CVSS 7.5
[HIGH] Mozvoikko and ubufox update
Title: Mozvoikko and ubufox update
Summary: This update provides compatible packages for Firefox 9.
USN-1306-1 fixed vulnerabilities in Firefox. This update provides updated
Mozvoikko and ubufox packages for use with Firefox 9.
Original advisory details:
Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler,
David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia
Knous, and Rober Longson discovered several memory safety issues which
could possibly be exploited to crash Firefox or execute arbitrary code as
the user that invoked Firefox. (CVE-2011-3660)
Aki Helin discovered a crash in the YARR regular expression library that
could be triggered by javascript in web content. (CVE-2011-3661)
It was discovered that a flaw in the Mozilla SVG implementatio
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2012-01-06·CVSS 7.5
CVE-2011-3660 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Several security issues were fixed in Firefox.
Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian Holler,
David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse Ruderman, Marcia
Knous, and Rober Longson discovered several memory safety issues which
could possibly be exploited to crash Firefox or execute arbitrary code as
the user that invoked Firefox. (CVE-2011-3660)
Aki Helin discovered a crash in the YARR regular expression library that
could be triggered by javascript in web content. (CVE-2011-3661)
It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
exploit this vulnerabi
Red Hat
Mozilla: Multiple security flaws fixed in v3.6.25 (Mac) and v9
vendor_redhat·2011-12-20·CVSS 7.5
CVE-2011-3658 [HIGH] Mozilla: Multiple security flaws fixed in v3.6.25 (Mac) and v9
Mozilla: Multiple security flaws fixed in v3.6.25 (Mac) and v9
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.
Statement: This issue did not affect the version of firefox and thunderbird packages as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue did not affect the version of seamonkey package as shipped with Red Hat Enterprise Linux 4.
No detection rules found.
Exploit-DB
Mozilla Firefox 7 / 8 < 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)
exploitdb·2012-05-09
CVE-2011-3658 Mozilla Firefox 7 / 8 < 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)
Mozilla Firefox 7 / 8 'Firefox 7/8 ( %q{
This module exploits an out-of-bounds access flaw in Firefox 7 and 8 ( MSF_LICENSE,
'Author' =>
[
'regenrecht', #vulnerability discovery
'Lincoln', #Metasploit module
'corelanc0d3r' #Metasploit module
],
'References' =>
[
[ 'CVE', '2011-3658' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-056/' ],
[ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=708186' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x34",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x24\xfa\xff\xff"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[
'Windows XP - Firefox 7',
{
'Ret' => 0x0C0C0C0C,
'OffSet' => 0x606,
'Size' => 0x40000,
'PopEax' => 0x7819
Metasploit
Firefox nsSVGValue Out-of-Bounds Access Vulnerability
metasploit
Firefox nsSVGValue Out-of-Bounds Access Vulnerability
Firefox nsSVGValue Out-of-Bounds Access Vulnerability
This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1). The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.
No writeups or analysis indexed.
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00009.htmlhttp://lists.opensuse.org/opensuse-updates/2012-03/msg00042.htmlhttp://osvdb.org/77953http://secunia.com/advisories/47302http://secunia.com/advisories/47334http://secunia.com/advisories/48495http://secunia.com/advisories/48553http://secunia.com/advisories/48823http://secunia.com/advisories/49055http://www.mandriva.com/security/advisories?name=MDVSA-2011:192http://www.mandriva.com/security/advisories?name=MDVSA-2012:031http://www.mozilla.org/security/announce/2011/mfsa2011-55.htmlhttp://www.securitytracker.com/id?1026445http://www.securitytracker.com/id?1026446http://www.securitytracker.com/id?1026447http://www.ubuntu.com/usn/USN-1401-1https://bugzilla.mozilla.org/show_bug.cgi?id=708186https://exchange.xforce.ibmcloud.com/vulnerabilities/71910https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14664http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00009.htmlhttp://lists.opensuse.org/opensuse-updates/2012-03/msg00042.htmlhttp://osvdb.org/77953http://secunia.com/advisories/47302http://secunia.com/advisories/47334http://secunia.com/advisories/48495http://secunia.com/advisories/48553http://secunia.com/advisories/48823http://secunia.com/advisories/49055http://www.mandriva.com/security/advisories?name=MDVSA-2011:192http://www.mandriva.com/security/advisories?name=MDVSA-2012:031http://www.mozilla.org/security/announce/2011/mfsa2011-55.htmlhttp://www.securitytracker.com/id?1026445http://www.securitytracker.com/id?1026446http://www.securitytracker.com/id?1026447http://www.ubuntu.com/usn/USN-1401-1https://bugzilla.mozilla.org/show_bug.cgi?id=708186https://exchange.xforce.ibmcloud.com/vulnerabilities/71910https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14664
2011-12-21
Published