cbcvebase.
CVE-2017-5375
published 2018-06-11

CVE-2017-5375: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird <…

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.43%
98.2th percentile
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.

Affected

24 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianfirefox< firefox 51.0-1 (sid)firefox 51.0-1 (sid)
debianfirefox-esr< firefox 51.0-1 (sid)firefox 51.0-1 (sid)
mozillafirefox< 45.7.045.7.0
mozillafirefox< 51.0.151.0.1
mozillafirefox>= 0 < 51.0.1+build2-0ubuntu0.14.04.151.0.1+build2-0ubuntu0.14.04.1
mozillafirefox>= 0 < 51.0.1+build2-0ubuntu0.14.04.251.0.1+build2-0ubuntu0.14.04.2
mozillafirefox>= 0 < 51.0.1+build2-0ubuntu0.16.04.151.0.1+build2-0ubuntu0.16.04.1
mozillafirefox>= 0 < 51.0.1+build2-0ubuntu0.16.04.251.0.1+build2-0ubuntu0.16.04.2
mozillafirefox>= unspecified < 5151
mozillafirefox_esr>= unspecified < 45.745.7
mozillathunderbird< 45.7.045.7.0
mozillathunderbird>= 0 < 1:45.7.0+build1-0ubuntu0.14.04.11:45.7.0+build1-0ubuntu0.14.04.1
mozillathunderbird>= 0 < 1:45.7.0+build1-0ubuntu0.16.04.11:45.7.0+build1-0ubuntu0.16.04.1
mozillathunderbird>= unspecified < 45.745.7
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_server
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

bytes
0xa8909090 (repeated NOP sled pattern in ASM.JS JIT spray)
  • Detect ASM.JS JIT-spray by monitoring for repeated arithmetic additions using the constant 0xa8909090 within asm.js modules, indicative of a NOP sled embedded in JIT-compiled code.
  • Detect exploit trigger pattern: use of Web Workers combined with SVG namespace, ArrayBuffer allocations of sizes 0x80 and 0x100, and large Array heap sprays (0x1000, 0x4000 elements) in the same page context.
  • Detect large-scale ASM.JS module spraying: creation of thousands of identical asm.js module instances (e.g., 0x1800 or 0x1000 regions) used to predictably place JIT-compiled shellcode at known memory addresses.
  • Detect heap spray of fake DOM node objects targeting fixed addresses (e.g., 0x20200000, 0x30300000, 0x5a500000) using large ArrayBuffer blocks with crafted offsets, characteristic of this JIT-spray exploit chain.
  • Firefox versions below 51 and Firefox ESR / Thunderbird below 45.7 are vulnerable; flag use of these specific versions in network traffic User-Agent strings or software inventory.
  • The exploit uses a fixed ArrayBuffer offset of 0x88 for Firefox 50.0.1 to corrupt object internals; monitor for ArrayBuffer index manipulation at this specific offset in conjunction with asm.js spray activity.
  • ·The hardcoded JIT payload target addresses (e.g., 0x1c1c0054, 0x3c3c1dc8, 0x20200b58) are version-specific and rely on predictable JIT code placement; they will differ across Firefox builds, OS versions, and ASLR states.
  • ·The exploit's ArrayBuffer corruption offset (0x88) is specific to Firefox 50.0.1 on Windows 32-bit; this value will vary for other Firefox versions or platforms.
  • ·The float constant pool offset for asm.js JIT spray (0xXXXX1dc8 for Fx 44.0.2, 0xXXXX0b58 for Fx 46.0.1) is version-specific and must be recalculated for other builds.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.