Lucene search
This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.FREEBSD_PKG_8F5DD74B2C6111DAA2630001020EED82.NASLHistoryMay 13, 2006 - 12:00 a.m.
FreeBSD : firefox & mozilla -- multiple vulnerabilities (8f5dd74b-2c61-11da-a263-0001020eed82)
2006-05-1300:00:00
This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8
A Mozilla Foundation Security Advisory reports of multiple issues :
Heap overrun in XBM image processing jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to install or run malicious code on the user’s machine.
Thunderbird does not support the XBM format and is not affected by this flaw. Crash on ‘zero-width non-joiner’ sequence Mats Palmgren discovered that a reported crash on Unicode sequences with ‘zero-width non-joiner’ characters was due to stack corruption that may be exploitable. XMLHttpRequest header spoofing It was possible to add illegal and malformed headers to an XMLHttpRequest. This could have been used to exploit server or proxy flaws from the user’s machine, or to fool a server or proxy into thinking a single request was a stream of separate requests. The severity of this vulnerability depends on the value of servers which might be vulnerable to HTTP request smuggling and similar attacks, or which share an IP address (virtual hosting) with the attacker’s page.
For users connecting to the web through a proxy this flaw could be used to bypass the same-origin restriction on XMLHttpRequests by fooling the proxy into handling a single request as multiple pipe-lined requests directed at arbitrary hosts. This could be used, for example, to read files on intranet servers behind a firewall.
Object spoofing using XBL <implements> moz_bug_r_a4 demonstrated a DOM object spoofing bug similar to MFSA 2005-55 using an XBL control that <implements> an internal interface. The severity depends on the version of Firefox: investigation so far indicates Firefox 1.0.x releases don’t expose any vulnerable functionality to interfaces spoofed in this way, but that early Deer Park Alpha 1 versions did.
XBL was changed to no longer allow unprivileged controls from web content to implement XPCOM interfaces. JavaScript integer overflow Georgi Guninski reported an integer overflow in the JavaScript engine.
We presume this could be exploited to run arbitrary code under favorable conditions. Privilege escalation using about: scheme heatsync and shutdown report two different ways to bypass the restriction on loading high privileged ‘chrome’ pages from an unprivileged ‘about:’ page. By itself this is harmless–once the ‘about’ page’s privilege is raised the original page no longer has access–but should this be combined with a same-origin violation this could lead to arbitrary code execution. Chrome window spoofing moz_bug_r_a4 demonstrates a way to get a blank ‘chrome’ canvas by opening a window from a reference to a closed window. The resulting window is not privileged, but the normal browser UI is missing and can be used to construct a spoof page without any of the safety features of the browser chrome designed to alert users to phishing sites, such as the address bar and the status bar.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2019 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21473);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2005-2701", "CVE-2005-2702", "CVE-2005-2703", "CVE-2005-2704", "CVE-2005-2705", "CVE-2005-2706", "CVE-2005-2707");
script_name(english:"FreeBSD : firefox & mozilla -- multiple vulnerabilities (8f5dd74b-2c61-11da-a263-0001020eed82)");
script_summary(english:"Checks for updated packages in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:
"The remote FreeBSD host is missing one or more security-related
updates."
);
script_set_attribute(
attribute:"description",
value:
"A Mozilla Foundation Security Advisory reports of multiple issues :
Heap overrun in XBM image processing jackerror reports that an
improperly terminated XBM image ending with space characters instead
of the expected end tag can lead to a heap buffer overrun. This
appears to be exploitable to install or run malicious code on the
user's machine.
Thunderbird does not support the XBM format and is not affected by
this flaw. Crash on 'zero-width non-joiner' sequence Mats Palmgren
discovered that a reported crash on Unicode sequences with 'zero-width
non-joiner' characters was due to stack corruption that may be
exploitable. XMLHttpRequest header spoofing It was possible to add
illegal and malformed headers to an XMLHttpRequest. This could have
been used to exploit server or proxy flaws from the user's machine, or
to fool a server or proxy into thinking a single request was a stream
of separate requests. The severity of this vulnerability depends on
the value of servers which might be vulnerable to HTTP request
smuggling and similar attacks, or which share an IP address (virtual
hosting) with the attacker's page.
For users connecting to the web through a proxy this flaw could be
used to bypass the same-origin restriction on XMLHttpRequests by
fooling the proxy into handling a single request as multiple
pipe-lined requests directed at arbitrary hosts. This could be used,
for example, to read files on intranet servers behind a firewall.
Object spoofing using XBL <implements> moz_bug_r_a4 demonstrated a DOM
object spoofing bug similar to MFSA 2005-55 using an XBL control that
<implements> an internal interface. The severity depends on the
version of Firefox: investigation so far indicates Firefox 1.0.x
releases don't expose any vulnerable functionality to interfaces
spoofed in this way, but that early Deer Park Alpha 1 versions did.
XBL was changed to no longer allow unprivileged controls from web
content to implement XPCOM interfaces. JavaScript integer overflow
Georgi Guninski reported an integer overflow in the JavaScript engine.
We presume this could be exploited to run arbitrary code under
favorable conditions. Privilege escalation using about: scheme
heatsync and shutdown report two different ways to bypass the
restriction on loading high privileged 'chrome' pages from an
unprivileged 'about:' page. By itself this is harmless--once the
'about' page's privilege is raised the original page no longer has
access--but should this be combined with a same-origin violation this
could lead to arbitrary code execution. Chrome window spoofing
moz_bug_r_a4 demonstrates a way to get a blank 'chrome' canvas by
opening a window from a reference to a closed window. The resulting
window is not privileged, but the normal browser UI is missing and can
be used to construct a spoof page without any of the safety features
of the browser chrome designed to alert users to phishing sites, such
as the address bar and the status bar."
);
# http://www.mozilla.org/security/announce/mfsa2005-58.html
script_set_attribute(
attribute:"see_also",
value:"https://www.mozilla.org/en-US/security/advisories/mfsa2005-58/"
);
# https://vuxml.freebsd.org/freebsd/8f5dd74b-2c61-11da-a263-0001020eed82.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?0a2b5253"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_cwe_id(94);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:de-linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:de-linux-netscape");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:de-netscape7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:el-linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:fr-linux-netscape");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:fr-netscape7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-linux-mozillafirebird-gtk1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-linux-netscape");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-mozillafirebird-gtk2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ja-netscape7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-mozilla");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-mozilla-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-netscape");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:linux-phoenix");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla+ipv6");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-embedded");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-firebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-gtk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-gtk1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-gtk2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mozilla-thunderbird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:netscape7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phoenix");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:pt_BR-netscape7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:zhCN-linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:zhTW-linux-mozillafirebird");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/22");
script_set_attribute(attribute:"patch_publication_date", value:"2005/09/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"firefox<1.0.7,1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-firefox<1.0.7")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla<1.7.12,2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla>=1.8.*,2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-mozilla<1.7.12")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-mozilla-devel>0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"netscape7>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"de-linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"el-linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-linux-mozillafirebird-gtk1>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-mozillafirebird-gtk2>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ru-linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"zhCN-linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"zhTW-linux-mozillafirebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"de-linux-netscape>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"de-netscape7>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"fr-linux-netscape>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"fr-netscape7>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-linux-netscape>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ja-netscape7>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-netscape>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"linux-phoenix>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla+ipv6>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-embedded>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-firebird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-gtk1>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-gtk2>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-gtk>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"mozilla-thunderbird>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"phoenix>=0")) flag++;
if (pkg_test(save_report:TRUE, pkg:"pt_BR-netscape7>=0")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| freebsd | freebsd | de-linux-mozillafirebird | p-cpe:/a:freebsd:freebsd:de-linux-mozillafirebird |
| freebsd | freebsd | de-linux-netscape | p-cpe:/a:freebsd:freebsd:de-linux-netscape |
| freebsd | freebsd | de-netscape7 | p-cpe:/a:freebsd:freebsd:de-netscape7 |
| freebsd | freebsd | el-linux-mozillafirebird | p-cpe:/a:freebsd:freebsd:el-linux-mozillafirebird |
| freebsd | freebsd | firefox | p-cpe:/a:freebsd:freebsd:firefox |
| freebsd | freebsd | fr-linux-netscape | p-cpe:/a:freebsd:freebsd:fr-linux-netscape |
| freebsd | freebsd | fr-netscape7 | p-cpe:/a:freebsd:freebsd:fr-netscape7 |
| freebsd | freebsd | ja-linux-mozillafirebird-gtk1 | p-cpe:/a:freebsd:freebsd:ja-linux-mozillafirebird-gtk1 |
| freebsd | freebsd | ja-linux-netscape | p-cpe:/a:freebsd:freebsd:ja-linux-netscape |
| freebsd | freebsd | ja-mozillafirebird-gtk2 | p-cpe:/a:freebsd:freebsd:ja-mozillafirebird-gtk2 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2701
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2702
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2703
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2704
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2705
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2706
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2707
www.nessus.org/u?0a2b5253
www.mozilla.org/en-US/security/advisories/mfsa2005-58/
Related
openvas
openvas
Debian Security Advisory DSA 838-1 (mozilla-firefox)
2008-01-17 00:00:00
FreeBSD Ports: firefox
2008-09-04 00:00:00
SLES9: Security update for Mozilla
2009-10-10 00:00:00
debian
debian
freebsd
freebsd
firefox & mozilla -- multiple vulnerabilities
2005-09-22 00:00:00
nessus
nessus
Fedora Core 4 : mozilla-1.7.12-1.5.1 (2005-927)
2005-10-05 00:00:00
Fedora Core 3 : mozilla-1.7.12-1.3.1 (2005-932)
2005-10-05 00:00:00
Debian DSA-838-1 : mozilla-firefox - multiple vulnerabilities
2005-10-05 00:00:00
suse
suse
remote code execution in mozilla,MozillaFirefox
2005-09-30 09:06:58
remote code execution in MozillaThunderbird
2006-04-25 13:15:04
remote code execution in phpMyAdmin
2006-01-26 13:53:52
osv
osv
mozilla-firefox - multiple vulnerabilities
2005-10-02 00:00:00
mozilla-thunderbird - several
2005-10-20 00:00:00
mozilla - several
2005-10-20 00:00:00
centos
centos
devhelp, mozilla security update
2005-09-22 22:45:24
galeon, mozilla security update
2005-09-23 00:52:45
firefox security update
2005-09-22 22:46:14
ubuntu
ubuntu
Thunderbird vulnerabilities
2005-10-11 00:00:00
gentoo
gentoo
Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities
2005-09-18 00:00:00
redhat
redhat
(RHSA-2005:789) mozilla security update
2005-09-22 00:00:00
(RHSA-2005:785) firefox security update
2005-09-22 00:00:00
(RHSA-2005:791) thunderbird security update
2005-10-06 00:00:00
ubuntucve
ubuntucve
checkpoint_advisories
checkpoint_advisories
Firefox XBM Image Processing Buffer Overflow (CVE-2005-2701)
2010-03-01 00:00:00
Mozilla Firefox Unicode Sequence Handling Stack Corruption (CVE-2005-2702)
2009-10-06 00:00:00
Mozilla Firefox Chrome Page Loading Restriction Bypass (CVE-2005-2706)
2009-11-05 00:00:00
cve
cve
securityvulns
securityvulns
[NEWS] Gecko based browsers Stack Corruption
2005-09-26 00:00:00
Related for FREEBSD_PKG_8F5DD74B2C6111DAA2630001020EED82.NASL