module
Firefox nsSVGValue Out-of-Bounds Access Vulnerability
| Disclosed | Created |
|---|---|
| 2011-12-06 | 2018-05-30 |
Disclosed
2011-12-06
Created
2018-05-30
Description
This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (
The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)
uses a loop which can result in an out-of-bounds access to attacker-controlled memory.
The mObserver ElementAt() function (which picks up pointers), does not validate
if a given index is out of bound. If a custom observer of nsSVGValue is created,
which removes elements from the original observer,
and memory layout is manipulated properly, the ElementAt() function might pick up
an attacker provided pointer, which can be leveraged to gain remote arbitrary
code execution.
The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y)
uses a loop which can result in an out-of-bounds access to attacker-controlled memory.
The mObserver ElementAt() function (which picks up pointers), does not validate
if a given index is out of bound. If a custom observer of nsSVGValue is created,
which removes elements from the original observer,
and memory layout is manipulated properly, the ElementAt() function might pick up
an attacker provided pointer, which can be leveraged to gain remote arbitrary
code execution.
Authors
regenrecht
Lincoln lincoln@corelan.be
corelanc0d3r peter.ve@corelan.be
Lincoln lincoln@corelan.be
corelanc0d3r peter.ve@corelan.be
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.