CVE-2015-0816
published 2015-04-01CVE-2015-0816: Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for…
PriorityP354medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
67.14%
99.2th percentile
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 31.5.3 | — |
| mozilla | firefox | <= 36.0.4 | — |
| mozilla | firefox | >= 0 < 37.0+build2-0ubuntu0.14.04.1 | 37.0+build2-0ubuntu0.14.04.1 |
| mozilla | thunderbird | <= 31.5 | — |
| mozilla | thunderbird | >= 0 < 1:31.6.0+build1-0ubuntu0.14.04.1 | 1:31.6.0+build1-0ubuntu0.14.04.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets Firefox versions 35 and 36 specifically; browser UA version checks between 35–36 are a key targeting signal. ↗
- →Exploit delivery page contains a lure string used as default HTML content; monitor for pages serving this string alongside PDF/XML data URIs. ↗
- →Exploit uses messageManager.loadFrameScript with a data: URI to inject privileged JavaScript into a chrome window; monitor for this API call pattern in browser process logs or network captures. ↗
- →Exploit loads an iframe with src='data:application/pdf,' and a blob URL to trigger PDF.js in a privileged context; anomalous blob: or data:application/pdf URIs in iframe src attributes are suspicious. ↗
- →Exploit uses view-source: scheme combined with object element data attribute reassignment as part of sandbox context acquisition; monitor for view-source: URIs set on object.data dynamically. ↗
- →The exploit requires a user click anywhere on the page to trigger; social engineering lure pages prompting clicks combined with PDF.js resource:// loading should be flagged. ↗
- →Privilege escalation is achieved by combining CVE-2015-0816 (resource:// bypass) with CVE-2015-0802 (messageManager access); detections should look for chained exploitation of both CVEs. ↗
- ·The exploit only works against Firefox 35–36; versions outside this range are not targeted by this specific Metasploit module, though the CVE affects Firefox before 37.0 and ESR 31.x before 31.6. ↗
- ·In Thunderbird, the flaw cannot generally be exploited via email because scripting is disabled by default; risk is elevated only in browser or browser-like contexts. ↗
- ·Exploitation of this CVE alone is insufficient for arbitrary code execution; it must be chained with a separate same-origin policy bypass vulnerability (e.g., CVE-2015-0802). ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2015-04-02·CVSS 7.5
CVE-2015-0801 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit this to bypass same-origin policy restrictions.
(CVE-2015-0801)
Christoph Kerschbaumer discovered that CORS requests from
navigator.sendBeacon() followed 30x redirections after preflight. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to conduct
cross-site request forgery (XSRF) attacks. (CVE-2015-0807)
Aki Helin discovered a use-after-free when playing MP3 audio files using
the Fluendo
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2015-04-01·CVSS 7.5
CVE-2015-0801 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this
to bypass same-origin policy restrictions. (CVE-2015-0801)
Bobby Holley discovered that windows created to hold privileged UI content
retained access to privileged internal methods if navigated to
unprivileged content. An attacker could potentially exploit this in
combination with another flaw, in order to execute arbitrary script in a
privileged context. (CVE-2015-0802)
Several type confusion issues were discovered in Firefox. If a user were
tricke
Red Hat
Mozilla: resource: // documents can load privileged pages (MFSA 2015-33)
vendor_redhat·2015-03-31·CVSS 5.0
CVE-2015-0816 [MEDIUM] CWE-250 Mozilla: resource: // documents can load privileged pages (MFSA 2015-33)
Mozilla: resource: // documents can load privileged pages (MFSA 2015-33)
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
A flaw was found in the way documents were loaded via resource URLs in, for example, Mozilla's PDF.js PDF file viewer. An attacker could use this flaw to bypass certain restrictions and under certain conditions even execute arbitrary code with the privileges of the user running Firefox.
GHSA
GHSA-gjhp-68hp-85fp: Mozilla Firefox before 37
ghsa_unreviewed·2022-05-17
CVE-2015-0816 [MEDIUM] GHSA-gjhp-68hp-85fp: Mozilla Firefox before 37
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
OSV
thunderbird vulnerabilities
osv·2015-04-02·CVSS 7.5
CVE-2015-0801 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit this to bypass same-origin policy restrictions.
(CVE-2015-0801)
Christoph Kerschbaumer discovered that CORS requests from
navigator.sendBeacon() followed 30x redirections after preflight. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to conduct
cross-site request forgery (XSRF) attacks. (CVE-2015-0807)
Aki Helin discovered a use-after-free when playing MP3 audio files using
the Fluendo MP3 GStreamer plugin in certain circumstances. If a user were
tricke
OSV
firefox vulnerabilities
osv·2015-04-01·CVSS 7.5
CVE-2015-0801 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this
to bypass same-origin policy restrictions. (CVE-2015-0801)
Bobby Holley discovered that windows created to hold privileged UI content
retained access to privileged internal methods if navigated to
unprivileged content. An attacker could potentially exploit this in
combination with another flaw, in order to execute arbitrary script in a
privileged context. (CVE-2015-0802)
Several type confusion issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of se
OSV
CVE-2015-0816: Mozilla Firefox before 37
osv·2015-04-01·CVSS 5.0
CVE-2015-0816 [MEDIUM] CVE-2015-0816: Mozilla Firefox before 37
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
No detection rules found.
Exploit-DB
Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
exploitdb·2015-08-24·CVSS 5.0
CVE-2015-0816 [MEDIUM] Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Firefox PDF.js Privileged Javascript Injection',
'Description' => %q{
This module gains remote code execution on Firefox 35-36 by abusing a
privilege escalation bug in resource:// URIs. PDF.js is used to exploit
the bug. This exploit requires the user to click anywhere on the page to
trigger the vulnerability.
},
'Author' => [
'Unknown', # PDF.js injection code was taken from a 0day
'Marius Mlynski', # discovery and pwn2own exploit
'joev' # copypasta monkey, CVE-2015-0802
],
'DisclosureDate' => "Mar 31 2015",
'License' => MSF_LICENSE,
'Ref
Metasploit
Firefox PDF.js Privileged Javascript Injection
metasploit
Firefox PDF.js Privileged Javascript Injection
Firefox PDF.js Privileged Javascript Injection
This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
Bugzilla
CVE-2015-1246 chromium-browser: Out-of-bounds read in Blink
bugzilla·2015-04-15·CVSS 5.0
CVE-2015-1246 [MEDIUM] CVE-2015-1246 chromium-browser: Out-of-bounds read in Blink
CVE-2015-1246 chromium-browser: Out-of-bounds read in Blink
An unspecified out-of-bounds read flaw was found in the Blink component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=437399
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1247 chromium-browser: Scheme issues in OpenSearch
bugzilla·2015-04-15·CVSS 5.0
CVE-2015-1247 [MEDIUM] CVE-2015-1247 chromium-browser: Scheme issues in OpenSearch
CVE-2015-1247 chromium-browser: Scheme issues in OpenSearch
An unspecified scheme issues flaw was found in the OpenSearch component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=429838
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1238 chromium-browser: Out-of-bounds write in Skia
bugzilla·2015-04-15·CVSS 7.5
CVE-2015-1238 [HIGH] CVE-2015-1238 chromium-browser: Out-of-bounds write in Skia
CVE-2015-1238 chromium-browser: Out-of-bounds write in Skia
An unspecified out-of-bounds write flaw was found in the Skia component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=445808
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1236 chromium-browser: Cross-origin-bypass in Blink
bugzilla·2015-04-15·CVSS 4.3
CVE-2015-1236 [MEDIUM] CVE-2015-1236 chromium-browser: Cross-origin-bypass in Blink
CVE-2015-1236 chromium-browser: Cross-origin-bypass in Blink
An unspecified cross-origin-bypass flaw was found in the Blink component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=313939
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1237 chromium-browser: Use-after-free in IPC
bugzilla·2015-04-15·CVSS 7.5
CVE-2015-1237 [HIGH] CVE-2015-1237 chromium-browser: Use-after-free in IPC
CVE-2015-1237 chromium-browser: Use-after-free in IPC
An unspecified use-after-free flaw was found in the IPC component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=461191
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1249 chromium-browser: Various fixes from internal audits, fuzzing and other initiatives
bugzilla·2015-04-15·CVSS 7.5
CVE-2015-1249 [HIGH] CVE-2015-1249 chromium-browser: Various fixes from internal audits, fuzzing and other initiatives
CVE-2015-1249 chromium-browser: Various fixes from internal audits, fuzzing and other initiatives
Unspecified flaws were found in the unspecified components of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=476786
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1242 chromium-browser: Type confusion in V8
bugzilla·2015-04-15·CVSS 7.5
CVE-2015-1242 [HIGH] CVE-2015-1242 chromium-browser: Type confusion in V8
CVE-2015-1242 chromium-browser: Type confusion in V8
An unspecified type confusion flaw was found in the V8 component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=460917
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1240 chromium-browser: Out-of-bounds read in WebGL
bugzilla·2015-04-15·CVSS 5.0
CVE-2015-1240 [MEDIUM] CVE-2015-1240 chromium-browser: Out-of-bounds read in WebGL
CVE-2015-1240 chromium-browser: Out-of-bounds read in WebGL
An unspecified out-of-bounds read flaw was found in the WebGL component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=463599
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1244 chromium-browser: HSTS bypass in WebSockets
bugzilla·2015-04-15·CVSS 5.0
CVE-2015-1244 [MEDIUM] CVE-2015-1244 chromium-browser: HSTS bypass in WebSockets
CVE-2015-1244 chromium-browser: HSTS bypass in WebSockets
An unspecified hsts bypass flaw was found in the WebSockets component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=455215
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1248 chromium-browser: SafeBrowsing bypass
bugzilla·2015-04-15·CVSS 4.3
CVE-2015-1248 [MEDIUM] CVE-2015-1248 chromium-browser: SafeBrowsing bypass
CVE-2015-1248 chromium-browser: SafeBrowsing bypass
A safebrowsing bypass flaw was found in the unspecified component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=380663
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1245 chromium-browser: Use-after-free in PDFium
bugzilla·2015-04-15·CVSS 6.8
CVE-2015-1245 [MEDIUM] CVE-2015-1245 chromium-browser: Use-after-free in PDFium
CVE-2015-1245 chromium-browser: Use-after-free in PDFium
An unspecified use-after-free flaw was found in the PDFium component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=444957
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1235 chromium-browser: Cross-origin-bypass in HTML parser
bugzilla·2015-04-15·CVSS 5.0
CVE-2015-1235 [MEDIUM] CVE-2015-1235 chromium-browser: Cross-origin-bypass in HTML parser
CVE-2015-1235 chromium-browser: Cross-origin-bypass in HTML parser
An unspecified cross-origin-bypass flaw was found in the HTML parser component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=456518
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-1241 chromium-browser: tap-jacking vulnerability
bugzilla·2015-04-15·CVSS 4.3
CVE-2015-1241 [MEDIUM] CVE-2015-1241 chromium-browser: tap-jacking vulnerability
CVE-2015-1241 chromium-browser: tap-jacking vulnerability
An unspecified tap-jacking flaw was found in the unspecified component of the Chromium browser.
Upstream bug: https://code.google.com/p/chromium/issues/detail?id=418402
External References:
http://googlechromereleases.blogspot.com/2015/04/stable-channel-update_14.html
Discussion:
This issue has been addressed in the following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2015:0816 https://rhn.redhat.com/errata/RHSA-2015-0816.html
Bugzilla
CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33)
bugzilla·2015-03-30·CVSS 5.0
CVE-2015-0816 [MEDIUM] CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33)
CVE-2015-0816 Mozilla: resource:// documents can load privileged pages (MFSA 2015-33)
Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled incorrectly and these restrictions could be bypassed If this flaw was combined with a separate vulnerability allowing for same-origin policy violation, it could be used to run arbitrary code.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.
External Reference:
http://www.mozilla.org/s
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0766.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0771.htmlhttp://www.debian.org/security/2015/dsa-3211http://www.debian.org/security/2015/dsa-3212http://www.mozilla.org/security/announce/2015/mfsa2015-33.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73461http://www.securitytracker.com/id/1031996http://www.securitytracker.com/id/1032000http://www.ubuntu.com/usn/USN-2550-1http://www.ubuntu.com/usn/USN-2552-1https://bugzilla.mozilla.org/show_bug.cgi?id=1144991https://security.gentoo.org/glsa/201512-10https://www.exploit-db.com/exploits/37958/http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0766.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0771.htmlhttp://www.debian.org/security/2015/dsa-3211http://www.debian.org/security/2015/dsa-3212http://www.mozilla.org/security/announce/2015/mfsa2015-33.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/73461http://www.securitytracker.com/id/1031996http://www.securitytracker.com/id/1032000http://www.ubuntu.com/usn/USN-2550-1http://www.ubuntu.com/usn/USN-2552-1https://bugzilla.mozilla.org/show_bug.cgi?id=1144991https://security.gentoo.org/glsa/201512-10https://www.exploit-db.com/exploits/37958/
2015-04-01
Published