cbcvebase.
CVE-2011-3658
published 2011-12-21

CVE-2011-3658: The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows…

PriorityP357high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.88%
99.3th percentile
The SVG implementation in Mozilla Firefox 8.0, Thunderbird 8.0, and SeaMonkey 2.5 does not properly interact with DOMAttrModified event handlers, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via vectors involving removal of SVG elements.

Affected

3 ranges
VendorProductVersion rangeFixed in
mozillafirefox
mozillaseamonkey
mozillathunderbird

Detection & IOCsextracted from sources · hover to see the quote

other0x0C0C0C0C (heap spray pivot address)
other0x7c45abdf XCHG EAX,ESP # ADD [EAX],EAX # ADD ESP,48h # RETN 28 [MOZCPP19.DLL] (Stack->Heap Flip)
other0x781a909c ptr to &VirtualAlloc() [IAT MOZCRT19.dll]
bytes
\x81\xc4\x24\xfa\xff\xff
  • Exploit targets Firefox 7 and 8 (<=8.0.1) on Windows XP only; User-Agent strings matching 'Firefox/7.0', 'Firefox/8.0', or 'Firefox/8.0.1' combined with 'NT 5.1' are used by the exploit to select the target.
  • The exploit delivers a malicious HTML page with Content-Type text/html; monitor for suspicious SVG-containing HTML responses served to vulnerable Firefox versions.
  • The vulnerability is triggered by removing SVG elements inside a DOMAttrModified event handler; look for JavaScript that registers DOMAttrModified listeners and removes SVG child elements within them.
  • The exploit uses a classic heap-spray to place shellcode at 0x0C0C0C0C; detect large repetitive memory allocations filling address space toward this address in browser processes.
  • The exploit uses EXITFUNC=process and immediately migrates the injected process; monitor for unexpected child process spawning or process migration from firefox.exe shortly after page load.
  • ROP chains rely exclusively on MOZCRT19.dll and MOZCPP19.DLL gadgets; presence of these DLLs in a process with ROP-style stack frames (e.g., PUSHAD # RETN sequences) is a strong indicator of exploitation.
  • Bad characters for the payload are \x00\x0a\x0d\x34; encoded shellcode in exploit traffic will not contain these bytes, which can help distinguish exploit payloads from benign content.
  • ·The vulnerability only affects Firefox 7 and 8 (<=8.0.1), Thunderbird 8.0, and SeaMonkey 2.5; later versions are not affected.
  • ·The public Metasploit exploit only targets Windows XP; other OS targets are not supported and the module will return 404 for unsupported OS/browser combinations.
  • ·Red Hat confirmed this issue did not affect firefox, thunderbird, or seamonkey as shipped with RHEL 4, 5, and 6.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.