CVE-2016-2819
published 2016-06-13CVE-2016-2819: Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via…
PriorityP264high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
24.04%
97.6th percentile
Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 47.0-1 (sid) | firefox 47.0-1 (sid) |
| debian | firefox-esr | < firefox 47.0-1 (sid) | firefox 47.0-1 (sid) |
| mozilla | firefox | <= 46.0.1 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 47.0+build3-0ubuntu0.14.04.1 | 47.0+build3-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 47.0+build3-0ubuntu0.16.04.1 | 47.0+build3-0ubuntu0.16.04.1 |
| opensuse | leap | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers the CVE-2016-2819 heap overflow by setting outerHTML to an HTML5 fragment (e.g., CSS rule string) on a DOM element, causing a buffer overflow when parsing foreign-context HTML5 fragments under an SVG node. ↗
- →The exploit uses ASM.JS JIT-spray to place attacker-controlled shellcode at a predictable address (0x20200b58) by spraying 0x1000 asm.js float constant pool regions, bypassing ASLR and DEP on 32-bit Windows Firefox. ↗
- →The asm.js JIT-spray embeds msfvenom windows/exec CMD=calc.exe shellcode encoded as IEEE 754 double-precision float constants within an asm.js module's FFI call, which are then JIT-compiled into executable memory at a predictable address. ↗
- →The exploit sprays fake Node objects at heap address 0x5a500000 to gain EIP control, then redirects execution to the JIT-sprayed shellcode at 0x20200b58. Monitor for large heap spray loops targeting fixed addresses in JavaScript. ↗
- →The vulnerability is triggered via foreign-context HTML5 fragment parsing (e.g., innerHTML/outerHTML assignment within or adjacent to SVG elements). Monitor for DOM manipulation patterns setting outerHTML/innerHTML on SVG-context elements with CSS or HTML5 content. ↗
- →On Windows, asm.js JIT-spray causes repeated VirtualAlloc calls (PAGE_READWRITE) followed by VirtualProtect to PAGE_EXECUTE_READ for each module instantiation. Monitoring for a high volume of VirtualAlloc/VirtualProtect transitions from the Firefox renderer process is a host-based detection signal. ↗
- →The asm.js JIT-spray technique hides shellcode opcodes within 4-byte integer or float constants passed to FFI calls or stored to heap arrays, exploiting the lack of constant blinding in Firefox's asm.js JIT. Detection: look for asm.js modules with large numbers of repeated near-identical float/integer constants. ↗
- →The vulnerability was reported by researcher 'firehack' and is tracked as MFSA 2016-50. Affected versions are Firefox < 47.0 and Firefox ESR 45.x < 45.2. ↗
- ·The JIT-spray shellcode addresses (0x20200b58 for EIP, 0x5a500000 for fake node spray) are specific to Firefox 46.0.1 on 32-bit Windows. These hardcoded addresses will differ across Firefox versions, OS versions, and architectures. ↗
- ·The asm.js JIT-spray technique is confirmed for 32-bit (x86) Firefox on Windows. The researcher notes Linux requires more modules due to 4KB mmap granularity, and 64-bit Firefox impact was not fully investigated. ↗
- ·The exploit PoC from exploit-db targets Firefox 46.0.1 specifically. CVE-2016-2819 is fixed in Firefox 47.0 and Firefox ESR 45.2; the JIT-spray bypass technique (lack of constant blinding, no exec quota) is a separate but co-exploited weakness. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w5jf-q8p2-qgmx: Heap-based buffer overflow in Mozilla Firefox before 47
ghsa_unreviewed·2022-05-14
CVE-2016-2819 [HIGH] CWE-119 GHSA-w5jf-q8p2-qgmx: Heap-based buffer overflow in Mozilla Firefox before 47
Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.
OSV
CVE-2016-2819: Heap-based buffer overflow in Mozilla Firefox before 47
osv·2016-06-13·CVSS 8.8
CVE-2016-2819 [HIGH] CVE-2016-2819: Heap-based buffer overflow in Mozilla Firefox before 47
Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.
OSV
firefox vulnerabilities
osv·2016-06-09·CVSS 8.8
CVE-2016-2815 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel,
Sylvestre Ledru, Julian Seward, Olli Pettay, Karl Tomlinson, Christoph
Diehl, Julian Hector, Jan de Mooij, Mats Palmgren, and Tooru Fujisawa
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)
A buffer overflow was discovered when parsing HTML5 fragments in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-28
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2016-06-09·CVSS 8.8
CVE-2016-2815 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel,
Sylvestre Ledru, Julian Seward, Olli Pettay, Karl Tomlinson, Christoph
Diehl, Julian Hector, Jan de Mooij, Mats Palmgren, and Tooru Fujisawa
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-2815, CVE-2016-2818)
A buffer overflow was discovered when parsing HTML5 fragments in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could pote
Red Hat
Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
vendor_redhat·2016-06-08·CVSS 8.8
CVE-2016-2819 [HIGH] Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 6) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-2819: firefox - Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x b...
vendor_debian·2016·CVSS 8.8
CVE-2016-2819 [HIGH] CVE-2016-2819: firefox - Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x b...
Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.
Scope: local
sid: resolved (fixed in 47.0-1)
No detection rules found.
Bugzilla
lack of executable-code quota allows full bypass of ASLR and DEP
bugzilla·2016-12-21
[CRITICAL] lack of executable-code quota allows full bypass of ASLR and DEP
lack of executable-code quota allows full bypass of ASLR and DEP
Created attachment 8820887
PoC for Firefox 50.1.0 (Release). Demonstrates point 2.1 in the report
asm.js allows to JIT-spray attacker controlled code, and hence, allows to fully
bypass ASLR and DEP in 32-bit (x86) Firefox (Tested versions: Release and
Nightly). As it is very easy to find, I do not know if it is already known (I
hope I do not reinvent the wheel here...)
In summary this means, that an attacker can exploit a memory corruption
vulnerability (such as an UAF) as if no ASLR and DEP existed. He only needs EIP
control and does not need any memory disclosures/info-leaks or code-reuse. That
makes exploitation of memory corruptions for an attacker super easy.
Consider following asm.js script:
function asm_js_modul
Bugzilla
CVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
bugzilla·2016-06-06·CVSS 8.8
CVE-2016-2819 [HIGH] CVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
CVE-2016-2819 Mozilla: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
Security researcher firehack reported a buffer overflow when parsing HTML5 fragments in a foreign context such as under an node. This results in a potentially exploitable crash when inserting an HTML fragment into an existing document.
External Reference:
https://www.mozilla.org/security/announce/2016/mfsa2016-50.html
Acknowledgements:
Name: the Mozilla project
Upstream: firehack
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 6
Via RHSA-2016:1217 https://access.redhat.com/errata/RHSA-2016:1217
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.htmlhttp://www.debian.org/security/2016/dsa-3600http://www.mozilla.org/security/announce/2016/mfsa2016-50.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.securityfocus.com/bid/91075http://www.securitytracker.com/id/1036057http://www.ubuntu.com/usn/USN-2993-1https://access.redhat.com/errata/RHSA-2016:1217https://bugzilla.mozilla.org/show_bug.cgi?id=1270381https://www.exploit-db.com/exploits/44293/http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.htmlhttp://www.debian.org/security/2016/dsa-3600http://www.mozilla.org/security/announce/2016/mfsa2016-50.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.securityfocus.com/bid/91075http://www.securitytracker.com/id/1036057http://www.ubuntu.com/usn/USN-2993-1https://access.redhat.com/errata/RHSA-2016:1217https://bugzilla.mozilla.org/show_bug.cgi?id=1270381https://www.exploit-db.com/exploits/44293/
2016-06-13
Published