9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.906 High
EPSS
Percentile
98.8%
Added: 09/24/2009
CVE: CVE-2009-3076
BID: 36343
OSVDB: 57977
Mozilla is a suite of Internet client products available for multiple platforms.
The warning dialog displayed when adding or removing security modules via pkcs11.addmodule or pkcs11.deletemodule can be customized by an attacker to trick a user into installing a malicious PKCS11 module leading to command execution.
Upgrade to Mozilla Firefox 3.0.14 or higher.
<http://www.mozilla.org/security/announce/2009/mfsa2009-48.html>
Exploit works on Mozilla Firefox 3.0.10 and requires a user to load the exploit page in Mozilla Firefox and click the Okay button when a window pops up asking whether to install the module.
In order for this exploit to succeed, first download the exploit.dll file from the exploit server and place it on the specified SMB share, which must be accessible by the target.
In order for this exploit to succeed, Microsoft Visual C++ 2008 SP1 Redistributable Package must be installed on the target.
Windows