Vulnerability Note VU#443060

Mozilla Firefox 3.5 code execution vulnerability

Mozilla Firefox's javascript engine contains a vulnerability that may allow an attacker to execute code.

Mozilla Firefox version 3.5 contains a vulnerability in the Tracemonkey components of Firefox's javascript rendering engine.

Per Mozilla Bug Bug 503286:

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash.

We are currently unaware of a practical solution to this problem. Until an update is available the below workaround may mitigate this issue.

Disable Tracemonkey



To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false.

Systems Affected

https://bugzilla.mozilla.org/show_bug.cgi?id=503286

http://milw0rm.com/exploits/9137

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html?wprss=securityfix

Credit

Information from zbyte, Mozilla, and other sources was used in this report.

This document was written by Ryan Giobbi.

Vulnerability Note VU#443060

Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability

Mozilla Firefox's javascript engine contains a vulnerability that may allow an attacker to execute code.

Mozilla Firefox version 3.5 contains a vulnerability in the TraceMonkey components of Firefox's JavaScript engine.

Per Mozilla Bug Bug 503286:

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash.

Firefox 3.5.1 has been released to address this issue. See Mozilla Foundation Security Advisory 2009-41 for more information. Until updates can be applied, the below workarounds may mitigate this issue.

Disable TraceMonkey



To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.



Use NoScript



Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts will help to mitigate this vulnerability. Further details for configuring NoScript are available in the Securing Your Web Browser document.



Disable JavaScript



For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

http://www.mozilla.org/security/announce/2009/mfsa2009-41.html

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

https://bugzilla.mozilla.org/show_bug.cgi?id=503286

http://milw0rm.com/exploits/9137

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries

http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html?wprss=securityfix

Credit

Information from zbyte, Mozilla, and other sources was used in this report.

This document was written by Ryan Giobbi.

Vulnerability Note VU#130923

Mozilla Firefox command line URI handling vulnerability

Mozilla Firefox contains a vulnerability that may allow an attacker to bypass security restrictions by opening specially crafted URIs using the Firefox command line interface.

Mozilla Firefox can process URIs from its command line interface that can be accessed by users or programs. Passing Firefox multiple URIs through the command line interface using the pipe symbol will launch Firefox with the URIs opened in tabs. An attacker could use this feature pass URIs to Firefox that should be handled by another application. Since Firefox may determine that the URI sent to it is from a local content source, domain and origin-based security restrictions that usually apply to remote content may be bypassed.

A remote attacker may be able to use this vulnerability to bypass security restrictions, or to aid in the exploitation of other vulnerabilities.

Upgrade

Per Mozilla Foundation Security Advisory 2008-35 this issue has been addressed in Firefox 3.0.1 and Firefox 2.0.0.16.

http://www.mozilla.org/security/announce/2008/mfsa2008-35.html

https://bugzilla.mozilla.org/show_bug.cgi?id=441120

Credit

Thanks to Mozilla for information that was used in this report. Mozilla credits Billy Rios for reporting this issue and Ben Turner and Dan Veditz for discovering additional attack vectors.

This document was written by Ryan Giobbi.

Vulnerability Note VU#607267

Mozilla Firefox code execution vulnerability

Mozilla Firefox versions prior to 2.0.0.15 contain a vulnerability that may allow an attacker to execute code.

Versions of Mozilla Firefox prior to 2.0.0.15 contain a buffer overflow vulnerability. Browsers such as SeaMonkey and Epiphany that use Mozilla's rendering engine may also be affected.

Per Mozilla Foundation Security Advisory 2008-33:

Security research firm Astabis reported a vulnerability in Firefox 2 submitted through the iSIGHT Partners GVP Program by Greg McManus, Primary GVP Researcher. The reported crash in Mozilla's block reflow code could be used by an attacker to crash the browser and run arbitrary code on the victim's computer.

This vulnerability does not affect Firefox 3.

A remote, unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable browser to crash.

Upgrade

Per Mozilla Foundation Security Advisory 2008-33 this issue is addressed in Firefox 2.0.0.15 and SeaMonkey 1.1.10.

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15

http://www.mozilla.com/en-US/firefox/2.0.0.15/releasenotes/

http://www.mozilla.org/security/announce/2008/mfsa2008-27.html

https://bugzilla.mozilla.org/show_bug.cgi?id=423541

Credit

Mozilla credits Security research firm Astabis for reporting this vulnerability.

This document was written by Ryan Giobbi.

Vulnerability Note VU#906907

FireFTP filename directory traversal sequence vulnerability

The FireFTP Mozilla Firefox extension contains a vulnerability that may allow an attacker to write files to arbitrary locations.

FireFTP is a Firefox extension that provides FTP client functionality. Firefox extensions can run with Chrome privileges which allow them to read/write local files and make network connections.

The FTP MLST command is defined in RFC 3659: MLST provides data about exactly the object named on its command line, and no others. MLSD, on the other, lists the contents of a directory if a directory is named, otherwise a 501 reply is returned.



The FTP LIST command is defined in RFC 959: This command causes a list to be sent from the server to the passive DTP. If the pathname specifies a directory or other group of files, the server should transfer a list of files in the specified directory. If the pathname specifies a file then the server should send current information on the file. A null argument implies the user's current working or default directory.



FireFTP does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server in response to the MLSD and LIST commands. To exploit this vulnerability, attacker would need need to convince a user to connect to an FTP server that then send malicious commands to FireFTP.

II. Impact

A remote attacker may be able to write files to arbitrary locations on a system running Firefox with a vulnerable version of FireFTP.

Upgrade

Per the FireFTP Developer Information page, this issue is addressed in the 0.97.2 and .99preview releases. Users are encouraged to upgrade to a fixed version. Users who have Firefox set to Automatically check for updates and Automatically download and install the update for Add-ons should be updated to a fixed version of FireFTP automatically.



Restrict access

FTP proxy servers and IPS systems that include support for the FTP protocol may be able to block filenames that contain directory traversal sequences. Note that this workaround may not block all attack vectors.





Since Firefox extensions usually run in the context of Firefox, host-based firewalls may not be able to detect the installation or presence of Firefox Add-ons such as FireFTP.

Systems Affected

http://fireftp.mozdev.org/developers.html

https://addons.mozilla.org/en-US/firefox/addon/684

http://developer.mozilla.org/en/docs/Chrome

http://vuln.sg/fireftp0971-en.html

http://support.mozilla.com/en-US/kb/Options+window#Update_tab

http://tools.ietf.org/html/rfc3659

http://www.faqs.org/rfcs/rfc959.html

Credit

Information about this vulnerability was published by vuln.sg.

This document was written by Ryan Giobbi.