CVE-2019-11708
published 2019-07-23CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process…
PriorityP191critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
55.87%
98.9th percentile
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 67.0.4-1 (sid) | firefox 67.0.4-1 (sid) |
| debian | firefox-esr | < firefox 67.0.4-1 (sid) | firefox 67.0.4-1 (sid) |
| debian | thunderbird | < firefox 67.0.4-1 (sid) | firefox 67.0.4-1 (sid) |
| mozilla | firefox | < 60.7.2 | 60.7.2 |
| mozilla | firefox | < 67.0.4 | 67.0.4 |
| mozilla | firefox | >= unspecified < 67.0.4 | 67.0.4 |
| mozilla | firefox_esr | >= unspecified < 60.7.2 | 60.7.2 |
| mozilla | thunderbird | < 60.7.2 | 60.7.2 |
| mozilla | thunderbird | >= 0 < 1:60.7.2-1 | 1:60.7.2-1 |
| mozilla | thunderbird | >= 0 < 1:60.7.2-1 | 1:60.7.2-1 |
| mozilla | thunderbird | >= 0 < 1:60.7.2-1 | 1:60.7.2-1 |
| mozilla | thunderbird | >= 0 < 1:60.7.2-1 | 1:60.7.2-1 |
| mozilla | thunderbird | >= 0 < 1:60.7.2+build2-0ubuntu0.16.04.1 | 1:60.7.2+build2-0ubuntu0.16.04.1 |
| mozilla | thunderbird | >= 0 < 1:60.7.2+build2-0ubuntu0.18.04.1 | 1:60.7.2+build2-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= unspecified < 60.7.2 | 60.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88
- →Monitor for unsolicited or attacker-crafted 'Prompt:Open' IPC messages sent from a Firefox child/content process to the parent process, particularly those carrying unexpected or attacker-controlled URI values. ↗
- →The exploit uses GetContentFrameMessageManager to obtain the frame messageManager and then calls sendSyncMessage with 'Prompt:Open'; JavaScript instrumentation or browser telemetry detecting sendSyncMessage calls with 'Prompt:Open' from content scripts is a strong indicator of exploitation. ↗
- →The exploit uses Components.utils.import and Cu.evalInSandbox with a System Principal sandbox to escalate privileges within the browser; monitor for content-process use of Components.utils with system principal. ↗
- →The exploit patches xul.dll in-memory at known offsets for sAutomationPrefIsSet (0x051c0f13) and disabledForTest (0x05171cd8) to achieve 'god mode'; memory integrity monitoring of xul.dll at these offsets can detect exploitation. ↗
- →The egg-hunter shellcode in the exploit is prefixed with magic QWORD bytes 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x88; scanning process memory or network traffic for this byte sequence can identify the exploit payload. ↗
- ·The exploit requires the Firefox content sandbox level to be lowered from 5 to at least 2 for the standalone CVE-2019-11707 payload to execute arbitrary shellcode; CVE-2019-11708 is required for full sandbox escape at default sandbox settings. ↗
- ·The xul.dll offsets used for 'god mode' patching (sAutomationPrefIsSet: 0x051c0f13, disabledForTest: 0x05171cd8) are version-specific and will differ across Firefox builds; these values apply to the specific version targeted by exploit EDB-47752. ↗
- ·CVE-2019-11708 is a sandbox escape that requires a separate initial compromise of the child/content process (e.g., via CVE-2019-11707); it cannot be exploited standalone without first achieving code execution in the sandboxed content process. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
cisa·2022-05-23·CVSS 10.0
CVE-2019-11708 [CRITICAL] CWE-20 Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
Vulnerability: Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
Affected: Mozilla Firefox and Thunderbird
Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-11708
Remediation Due Date: 2022-06-13
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2019-07-01·CVSS 8.8
CVE-2019-11707 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
A type confusion bug was discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could exploit this by causing a denial of service, or
executing arbirary code. (CVE-2019-11707)
It was discovered that a sandboxed child process could open arbitrary web
content in the parent process via the Prompt:Open IPC message. When
combined with another vulnerability, an attacker could potentially exploit
this to execute arbitrary code. (CVE-2019-11708)
Instructions: After a standard system update you need to restart Thunderbird to make
all the necessary changes.
Ubuntu
Firefox vulnerability
vendor_ubuntu·2019-06-24
CVE-2019-11708 Firefox vulnerability
Title: Firefox vulnerability
Summary: A sandbox escape was discovered in Firefox.
It was discovered that a sandboxed child process could open arbitrary web
content in the parent process via the Prompt:Open IPC message. When
combined with another vulnerability, an attacker could potentially exploit
this to execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Mozilla: Sandbox escape using Prompt:Open
vendor_redhat·2019-06-20·CVSS 10.0
CVE-2019-11708 [CRITICAL] CWE-270 Mozilla: Sandbox escape using Prompt:Open
Mozilla: Sandbox escape using Prompt:Open
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Statement: In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when reading mail.
Debian
CVE-2019-11708: firefox - Insufficient vetting of parameters passed with the Prompt:Open IPC message betwe...
vendor_debian·2019·CVSS 10.0
CVE-2019-11708 [CRITICAL] CVE-2019-11708: firefox - Insufficient vetting of parameters passed with the Prompt:Open IPC message betwe...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Scope: local
sid: resolved (fixed in 67.0.4-1)
GHSA
GHSA-w2hj-6j62-2w9f: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p
ghsa_unreviewed·2022-05-24
CVE-2019-11708 [CRITICAL] CWE-20 GHSA-w2hj-6j62-2w9f: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
OSV
CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p
osv·2019-07-23·CVSS 10.0
CVE-2019-11708 [CRITICAL] CVE-2019-11708: Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent p
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
OSV
thunderbird vulnerabilities
osv·2019-07-01·CVSS 8.8
CVE-2019-11707 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
A type confusion bug was discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could exploit this by causing a denial of service, or
executing arbirary code. (CVE-2019-11707)
It was discovered that a sandboxed child process could open arbitrary web
content in the parent process via the Prompt:Open IPC message. When
combined with another vulnerability, an attacker could potentially exploit
this to execute arbitrary code. (CVE-2019-11708)
VulnCheck
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
vulncheck·2019·CVSS 10.0
CVE-2019-11708 [CRITICAL] CWE-20 Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
Mozilla Firefox and Thunderbird Sandbox Escape Vulnerability
Mozilla Firefox and Thunderbird contain a sandbox escape vulnerability that could result in remote code execution.
Affected: Mozilla Firefox and Thunderbird
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/
Exploit PoC: https://vulncheck.com/xdb/06ea94b0dfdc; https://vulncheck.com/xdb/5cf17684b0a0; https://vulncheck.com/xdb/be2e1d3c8a14
Remediation Due: 2022-06-13
Project0
Project Zero RCA: CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
project_zero·CVSS 8.8
CVE-2019-11707 [HIGH] Project Zero RCA: CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
# CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
*Samuel Groß, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-07-27)*
## The Basics
**Disclosure or Patch Date:** 18 June 2019
**Product:** Mozilla Firefox
**Advisory:** https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
**Affected Versions:** Firefox 67.0.2, likely earlier versions
**First Patched Version:** Firefox 67.0.3 and Firefox ESR 60.7.1
**Issue/Bug Report:**
* Project Zero issue: https://bugs.chromium.org/p/project-zero/issues/detail?id=1820
* Firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
**Patch CL:** https://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e
**Bug-Introducing CL:** Unkno
No detection rules found.
Exploit-DB
Mozilla Firefox 67 - Array.pop JIT Type Confusion
exploitdb·2022-02-02·CVSS 8.8
CVE-2019-11707 [HIGH] Mozilla Firefox 67 - Array.pop JIT Type Confusion
Mozilla Firefox 67 - Array.pop JIT Type Confusion
---
# Exploit Title: Mozilla Firefox 67 - Array.pop JIT Type Confusion
# Date: 2021-12-07
# Type: RCE
# Platform: Windows
# Exploit Author: deadlock (Forrest Orr)
# Author Homepage: https://forrest-orr.net
# Vendor Homepage: https://www.mozilla.org/en-US/
# Software Link: https://ftp.mozilla.org/pub/firefox/releases/65.0.1/win64/en-US/
# Version: Firefox 67.0.2 64-bit and earlier
# Tested on: Windows 10 x64
# CVE: CVE-2019-11707
# Bypasses: DEP, High Entropy ASLR, CFG
# Full Hydseven exploit chain with sandbox escape (CVE-2019-11708): https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
/*
_______ ___ ___ _______ _______ _______ _____ _______ _____ _____ _______ _______ _______
| _ | Y | _ |______| | _ | _ | _ |______| _ |
Exploit-DB
Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack
exploitdb·2019-12-07
CVE-2019-9810 Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack
Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack
---
// Axel '0vercl0k' Souchet - November 19 2019
// EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47752.zip
// 0:000> ? xul!sAutomationPrefIsSet - xul
// Evaluate expression: 85724947 = 00000000`051c0f13
const XulsAutomationPrefIsSet = 0x051c0f13n;
// 0:000> ? xul!disabledForTest - xul
// Evaluate expression: 85400792 = 00000000`05171cd8
const XuldisabledForTest = 0x05171cd8n;
const Debug = false;
const dbg = p => {
if(Debug == false) {
return;
}
print(`Debug: ${p}`);
};
const ArraySize = 0x5;
const WantedArraySize = 0x42424242;
let arr = null;
let Trigger = false;
const Spray = [];
function f(Special, Idx, Value) {
arr[Idx] = 0x41414141;
Special.slice();
arr[I
Tenable
CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
blogs_tenable·2020-01-08·CVSS 8.8
[HIGH] CVE-2019-17026: Zero-Day Vulnerability in Mozilla Firefox Exploited in Targeted Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution Q2 2019. Statistics
blogs_securelist·2019-08-19
IT threat evolution Q2 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyber attacks
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky solutions blocked 717,057,912 attacks launched from online resources in 203 countries across the globe.
- 217,843,293 unique URLs triggered Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were
Tenable
CVE-2019-11707, CVE-2019-11708: Multiple Zero-Day Vulnerabilities in Mozilla Firefox Exploited in the Wild
blogs_tenable·2019-06-18·CVSS 8.8
[HIGH] CVE-2019-11707, CVE-2019-11708: Multiple Zero-Day Vulnerabilities in Mozilla Firefox Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2019-11708 thunderbird: Mozilla: sandbox escape using Prompt:Open [fedora-all]
bugzilla·2019-06-21·CVSS 10.0
CVE-2019-11708 [CRITICAL] CVE-2019-11708 thunderbird: Mozilla: sandbox escape using Prompt:Open [fedora-all]
CVE-2019-11708 thunderbird: Mozilla: sandbox escape using Prompt:Open [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ver
Bugzilla
CVE-2019-11708 Mozilla: Sandbox escape using Prompt:Open
bugzilla·2019-06-21·CVSS 10.0
CVE-2019-11708 [CRITICAL] CVE-2019-11708 Mozilla: Sandbox escape using Prompt:Open
CVE-2019-11708 Mozilla: Sandbox escape using Prompt:Open
Insufficient vetting of parameters passed with the `Prompt:Open`
IPC message between child and parent processes can result in the non-sandboxed
parent process opening web content chosen by a compromised child process.
When combined with additional vulnerabilities
this could result in executing arbitrary code on the user's computer.
External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/#CVE-2019-11708
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Coinbase Security
---
Created thunderbird tracking bugs for this issue:
Affects: fedora-all [bug 1722679]
---
Statement:
In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when readin
Bugzilla
CVE-2019-11707 CVE-2019-11708 firefox: various flaws [fedora-all]
bugzilla·2019-06-19·CVSS 8.8
CVE-2019-11707 [HIGH] CVE-2019-11707 CVE-2019-11708 firefox: various flaws [fedora-all]
CVE-2019-11707 CVE-2019-11708 firefox: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1559858https://security.gentoo.org/glsa/201908-12https://www.mozilla.org/security/advisories/mfsa2019-19/https://www.mozilla.org/security/advisories/mfsa2019-20/http://packetstormsecurity.com/files/155592/Mozilla-Firefox-Windows-64-Bit-Chain-Exploit.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1559858https://security.gentoo.org/glsa/201908-12https://www.mozilla.org/security/advisories/mfsa2019-19/https://www.mozilla.org/security/advisories/mfsa2019-20/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11708
2019-07-23
Published
2022-05-23
Added to CISA KEV
Exploited in the wild