ID CVE-2009-2477
Summary js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.
References
Vulnerable Configurations
  • Mozilla Firefox 3.5
    cpe:2.3:a:mozilla:firefox:3.5
CVSS
Base: 9.3 (as of 16-07-2009 - 09:07)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit. CVE-2009-2477,CVE-2009-2478. Remote exploit for windows platform
    file exploits/windows/remote/9137.html
    id EDB-ID:9137
    last seen 2016-02-01
    modified 2009-07-13
    platform windows
    port
    published 2009-07-13
    reporter Sberry
    source https://www.exploit-db.com/download/9137/
    title Mozilla Firefox 3.5 Font tags Remote Buffer Overflow Exploit
    type remote
  • description Firefox 3.5 escape() Return Value Memory Corruption. CVE-2009-2477. Remote exploits for multiple platform
    id EDB-ID:16299
    last seen 2016-02-01
    modified 2010-09-20
    published 2010-09-20
    reporter metasploit
    source https://www.exploit-db.com/download/16299/
    title Firefox 3.5 escape Return Value Memory Corruption
  • description Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution. CVE-2009-2477. Local exploit for Linux platform. Tags: Client Side
    file exploits/linux/local/40936.html
    id EDB-ID:40936
    last seen 2016-12-19
    modified 2016-12-18
    platform linux
    port
    published 2016-12-18
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40936/
    title Naenara Browser 3.5 (RedStar 3.0 Desktop) - 'JACKRABBIT' Client-Side Command Execution
    type local
  • description Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit (pl). CVE-2009-2477. Remote exploit for windows platform
    id EDB-ID:9214
    last seen 2016-02-01
    modified 2009-07-20
    published 2009-07-20
    reporter netsoul
    source https://www.exploit-db.com/download/9214/
    title Mozilla Firefox 3.5 Font tags Remote Heap Spray Exploit pl
  • id EDB-ID:9181
metasploit via4
description This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets.
id MSF:EXPLOIT/MULTI/BROWSER/FIREFOX_ESCAPE_RETVAL
last seen 2018-06-05
modified 2017-07-24
published 2009-07-14
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_escape_retval.rb
title Firefox 3.5 escape() Return Value Memory Corruption
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201301-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201301-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, bypass restrictions and protection mechanisms, force file downloads, conduct XML injection attacks, conduct XSS attacks, bypass the Same Origin Policy, spoof URL’s for phishing attacks, trigger a vertical scroll, spoof the location bar, spoof an SSL indicator, modify the browser’s font, conduct clickjacking attacks, or have other unspecified impact. A local attacker could gain escalated privileges, obtain sensitive information, or replace an arbitrary downloaded file. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 63402
    published 2013-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=63402
    title GLSA-201301-01 : Mozilla Products: Multiple vulnerabilities (BEAST)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_351.NASL
    description Firefox 3.5 is installed on the remote host. This version is potentially affected by multiple flaws : - It may be possible to crash the browser or potentially execute arbitrary code by using a flash object that presents a slow script dialog. (MFSA 2009-35) - In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. An attacker who is able to trick a user of the affected software into visiting a malicious link may be able to leverage this issue to run arbitrary code subject to the user's privileges. (MFSA 2009-41)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 39853
    published 2009-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39853
    title Firefox 3.5.x < 3.5.1 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_C1EF9B3372A611DE82EA0030843D3802.NASL
    description Mozilla Project reports : Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware. This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 39867
    published 2009-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39867
    title FreeBSD : mozilla -- corrupt JIT state after deep return from native function (c1ef9b33-72a6-11de-82ea-0030843d3802)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-7898.NASL
    description Update to new upstream Firefox version 3.5.1, fixing multiple security issues detailed in the upstream advisories: http://www.mozilla.org/security/known- vulnerabilities/firefox35.html#firefox3.5.1 Update also includes all packages depending on gecko-libs rebuilt against new version of Firefox / XULRunner. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-20
    plugin id 40347
    published 2009-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40347
    title Fedora 11 : kazehakase-0.5.6-11.svn3771_trunk.fc11.3 / Miro-2.0.5-2.fc11 / blam-1.8.5-12.fc11 / etc (2009-7898)
refmap via4
bid 35660
cert-vn VU#443060
confirm
exploit-db
  • 40936
  • 9137
  • 9181
fedora FEDORA-2009-7898
misc
secunia 35798
sunalert 266148
vupen ADV-2009-1868
saint via4
bid 35660
description Mozilla Firefox JIT Escape Function Memory Corruption
id web_client_firefox
osvdb 55846
title firefox_jitescapefunction_memory_corruption
type client
Last major update 04-09-2009 - 00:00
Published 15-07-2009 - 11:30
Last modified 18-09-2017 - 21:29
Back to Top