CVE-2014-8636
published 2015-01-14CVE-2014-8636: The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter…
PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.66%
99.2th percentile
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 34.0.5 | — |
| mozilla | firefox | >= 0 < 35.0.1+build1-0ubuntu0.14.04.1 | 35.0.1+build1-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 35.0+build3-0ubuntu0.14.04.2 | 35.0+build3-0ubuntu0.14.04.2 |
| mozilla | seamonkey | <= 2.31 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:established,to_client; file.data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, cve CVE_2014_8636, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
bytes
chrome|3a 2f 2f|
- →Exploit targets Firefox versions 31–34 exclusively; UA string filtering for Firefox with major version between 31 and 34 can identify targeted clients ↗
- →Exploit payload opens a chrome:// privileged window with off-screen coordinates to hide it from the user; look for window.open calls with chrome:// URLs and negative top/left coordinates ↗
- →Exploit requires a user click anywhere on the page to trigger; the Proxy.create trap fires on DOM property access (specifically 'nodeType') triggered by user interaction ↗
- →The attack chain uses messageManager.loadFrameScript with a data: URI to inject privileged JavaScript; detect HTTP responses containing both 'Proxy.create' and 'messageManager.loadFrameScript' in the same script block
- →The PoC/exploit sets document.__proto__ or Object.setPrototypeOf(document, ...) to a Proxy object; JavaScript static analysis or CSP violations on prototype manipulation of document can flag this ↗
- →Payload is delivered via a data: URI loaded into the chrome window via loadFrameScript; monitor for data: URI navigations originating from chrome-privileged contexts ↗
- ·The exploit only affects Firefox 31–34; Firefox 35+ and ESR 31 (with specific patches) are not vulnerable to the full RCE chain, though ESR 31 may still be vulnerable to the underlying __proto__ hooking DoS ↗
- ·The Metasploit module's JavaScript payload is obfuscated via jsobfu, so static string matching on exact JS tokens may miss obfuscated variants; behavioral/heuristic detection is preferred ↗
- ·The mozbrowser iframe attribute is required for the RCE chain to succeed; without it, messageManager.childCount returns 0 and the frame script has no effect ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xcg-82gw-cm6p: The XrayWrapper implementation in Mozilla Firefox before 35
ghsa_unreviewed·2022-05-17
CVE-2014-8636 [HIGH] CWE-94 GHSA-7xcg-82gw-cm6p: The XrayWrapper implementation in Mozilla Firefox before 35
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
OSV
firefox regression
osv·2015-01-27·CVSS 7.5
[HIGH] firefox regression
firefox regression
USN-2458-1 fixed vulnerabilities in Firefox. This update introduced a
regression which could make websites that use CSP fail to load under some
circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holley discovered that some DOM objects with certain properties
can
OSV
CVE-2014-8636: The XrayWrapper implementation in Mozilla Firefox before 35
osv·2015-01-14·CVSS 7.5
CVE-2014-8636 [HIGH] CVE-2014-8636: The XrayWrapper implementation in Mozilla Firefox before 35
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
OSV
ubufox update
osv·2015-01-14·CVSS 7.5
[HIGH] ubufox update
ubufox update
USN-2458-1 fixed vulnerabilities in Firefox. This update provides the
corresponding version of Ubufox.
Original advisory details:
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holley discovered that some DOM objects with certain properties
can bypass XrayWrappers in some circumstances. If a user were tricked in
to opening a specially crafted website, an attacker could po
OSV
firefox vulnerabilities
osv·2015-01-14·CVSS 7.5
CVE-2014-8634 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holley discovered that some DOM objects with certain properties
can bypass XrayWrappers in some circumstances. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to bypass security restrictions. (CVE-2014-8636)
Michal Zalewski discovered a use of uninitialized
VulnCheck
Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
vulncheck·2014·CVSS 7.5
CVE-2014-8636 [HIGH] Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
Mozilla Firefox Improper Control of Generation of Code ('Code Injection')
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
Affected: Mozilla Firefox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/terror-exploit-kit-more-like-error-exploit-kit/
Ubuntu
Firefox regression
vendor_ubuntu·2015-01-27·CVSS 7.5
[HIGH] Firefox regression
Title: Firefox regression
Summary: USN-2458-1 introduced a regression in Firefox
USN-2458-1 fixed vulnerabilities in Firefox. This update introduced a
regression which could make websites that use CSP fail to load under some
circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holle
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2015-01-14·CVSS 7.5
CVE-2014-8634 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holley discovered that some DOM objects with certain properties
can bypass XrayWrappers in some circumstances. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
Ubuntu
Ubufox update
vendor_ubuntu·2015-01-14·CVSS 7.5
[HIGH] Ubufox update
Title: Ubufox update
Summary: This update provides compatible packages for Firefox 35.
USN-2458-1 fixed vulnerabilities in Firefox. This update provides the
corresponding version of Ubufox.
Original advisory details:
Christian Holler, Patrick McManus, Christoph Diehl, Gary Kwong, Jesse
Ruderman, Byron Campen, Terrence Cole, and Nils Ohlmeier discovered
multiple memory safety issues in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-8634, CVE-2014-8635)
Bobby Holley discovered that some DOM objects with certain properties
can bypass XrayWrappers in some circumstances. If a user we
Red Hat
Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
vendor_redhat·2014-01-15·CVSS 7.5
CVE-2014-8636 [HIGH] CWE-250 Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
Statement: This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: firefox (Red Hat Enterprise Linux 7) - Not affected
Suricata
ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)
suricata·2015-03-26·CVSS 7.5
CVE-2014-8636 [HIGH] ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)
ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:established,to_client; file.data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, cve CVE_2014_8636, deployment
Exploit-DB
Mozilla Firefox - Proxy Prototype Privileged JavaScript Injection (Metasploit)
exploitdb·2015-03-24
CVE-2014-8636 Mozilla Firefox - Proxy Prototype Privileged JavaScript Injection (Metasploit)
Mozilla Firefox - Proxy Prototype Privileged JavaScript Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 'Firefox Proxy Prototype Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect
component and gaining a reference to the privileged chrome:// window. This exploit
requires the user to click anywhere on the page to trigger the vulnerability.
},
'License' => MSF_LICENSE,
'Author' => [
'joev' # discovery and metasploit module
],
'DisclosureDate' => "Jan 20 2014",
'References' => [
['CVE', '2014-8636'],
['URL', 'h
Metasploit
Firefox Proxy Prototype Privileged Javascript Injection
metasploit
Firefox Proxy Prototype Privileged Javascript Injection
Firefox Proxy Prototype Privileged Javascript Injection
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
Bugzilla
Firefox Proxy Prototype Privileged Javascript Injection Exploit
bugzilla·2015-05-02
[MEDIUM] Firefox Proxy Prototype Privileged Javascript Injection Exploit
Firefox Proxy Prototype Privileged Javascript Injection Exploit
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36
Firefox for Android
Steps to reproduce:
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 'Firefox Proxy Prototype Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect
component and gaining a reference to the privileged chrome:// window. This exploit
requires the user to click anywhere on the page to trigger the vulnerability.
},
'License' => MSF_LICENSE
Bugzilla
CVE-2014-8636 Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
bugzilla·2015-01-12·CVSS 7.5
CVE-2014-8636 [HIGH] CVE-2014-8636 Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
CVE-2014-8636 Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)
Mozilla developer Bobby Holley reported that Document Object Model (DOM) objects with some specific properties can bypass XrayWrappers. This can allow web content to access privileged code by compromising their XrayWrappers.
External Reference:
http://www.mozilla.org/security/announce/2015/mfsa2015-09.html
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Bobby Holley as the original reporter.
Statement:
This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Bugzilla
Setting prototype to a Proxy object allows content to influence chrome:// code
bugzilla·2015-01-11
[MEDIUM] Setting prototype to a Proxy object allows content to influence chrome:// code
Setting prototype to a Proxy object allows content to influence chrome:// code
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Steps to reproduce:
document.__proto__=Proxy.create({getPropertyDescriptor:function(){ while(1) {} }});
Actual results:
Permanently hangs the browser.
By inserting a console.log call you can see our function gets called all over the place. It does not seem to be able to actually return a value, but I think you can force an error to be thrown in chrome code that prevents the code from continuing. This might lead to unexpected results when initialization code does not run to completion.
Expected results:
I've not figured out the exact problem here, but this should not be abl
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.htmlhttp://packetstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.htmlhttp://secunia.com/advisories/62242http://secunia.com/advisories/62250http://secunia.com/advisories/62418http://secunia.com/advisories/62446http://secunia.com/advisories/62790http://www.mozilla.org/security/announce/2014/mfsa2015-09.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/72041http://www.securitytracker.com/id/1031533https://bugzilla.mozilla.org/show_bug.cgi?id=987794https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636https://exchange.xforce.ibmcloud.com/vulnerabilities/99964https://security.gentoo.org/glsa/201504-01http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.htmlhttp://packetstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.htmlhttp://secunia.com/advisories/62242http://secunia.com/advisories/62250http://secunia.com/advisories/62418http://secunia.com/advisories/62446http://secunia.com/advisories/62790http://www.mozilla.org/security/announce/2014/mfsa2015-09.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/72041http://www.securitytracker.com/id/1031533https://bugzilla.mozilla.org/show_bug.cgi?id=987794https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636https://exchange.xforce.ibmcloud.com/vulnerabilities/99964https://security.gentoo.org/glsa/201504-01
2015-01-14
Published
Exploited in the wild