Vulnerabilities > CVE-2011-2598 - Information Exposure vulnerability in Mozilla Firefox 4.0/4.0.1
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The WebGL implementation in Mozilla Firefox 4.x allows remote attackers to obtain screenshots of the windows of arbitrary desktop applications via vectors involving an SVG filter, an IFRAME element, and uninitialized data in graphics memory.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 14 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Windows NASL id SEAMONKEY_22.NASL description The installed version of SeaMonkey is earlier than 2.2.0. As such, it is potentially affected by the following security issues : - Errors in the WebGL implementation can allow the loading of WebGL textures from cross-domain images or allow the crash of the application and execution of arbitrary code. (CVE-2011-2366, CVE-2011-2368) - An out-of-bounds read error exists in the WebGL implementation that can lead to crashes and may allow an attacker to read arbitrary data from the GPU, including that of other processes. (CVE-2011-2367) - An error exists in the decoding of HTML-encoded entities contained in SVG elements. This error could lead to cross-site scripting attacks. (CVE-2011-2369) - An unspecified error exists that allows non-whitelisted sites to trigger an install dialog for add-ons and themes. (CVE-2011-2370) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - A use-after-free error when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2375) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377) last seen 2020-06-01 modified 2020-06-02 plugin id 55884 published 2011-08-17 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55884 title SeaMonkey < 2.2.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55884); script_version("1.15"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id( "CVE-2011-2366", "CVE-2011-2367", "CVE-2011-2368", "CVE-2011-2369", "CVE-2011-2370", "CVE-2011-2371", "CVE-2011-2373", "CVE-2011-2375", "CVE-2011-2377", "CVE-2011-2598" ); script_bugtraq_id( 48319, 48365, 48369, 48371, 48372, 48373, 48375, 48379, 48380 ); script_xref(name:"EDB-ID", value:"17974"); script_xref(name:"EDB-ID", value:"17976"); script_xref(name:"EDB-ID", value:"18531"); script_name(english:"SeaMonkey < 2.2.0 Multiple Vulnerabilities"); script_summary(english:"Checks version of SeaMonkey"); script_set_attribute(attribute:"synopsis",value: "The remote Windows host contains a web browser that may be affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description",value: "The installed version of SeaMonkey is earlier than 2.2.0. As such, it is potentially affected by the following security issues : - Errors in the WebGL implementation can allow the loading of WebGL textures from cross-domain images or allow the crash of the application and execution of arbitrary code. (CVE-2011-2366, CVE-2011-2368) - An out-of-bounds read error exists in the WebGL implementation that can lead to crashes and may allow an attacker to read arbitrary data from the GPU, including that of other processes. (CVE-2011-2367) - An error exists in the decoding of HTML-encoded entities contained in SVG elements. This error could lead to cross-site scripting attacks. (CVE-2011-2369) - An unspecified error exists that allows non-whitelisted sites to trigger an install dialog for add-ons and themes. (CVE-2011-2370) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - A use-after-free error when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2375) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377)"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-19/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-20/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-21/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-22/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-25/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-26/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-27/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-28/"); # https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey-2.0/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dc608134"); script_set_attribute(attribute:"solution", value:"Upgrade to SeaMonkey 2.2.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mozilla Firefox Array.reduceRight() Integer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"patch_publication_date", value:"2010/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:seamonkey"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("SeaMonkey/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item("SMB/transport"); if (!port) port = 445; installs = get_kb_list("SMB/SeaMonkey/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "SeaMonkey"); mozilla_check_version(installs:installs, product:'seamonkey', fix:'2.2', severity:SECURITY_HOLE);
NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_5_0.NASL description The installed version of Firefox is earlier than 5.0 and thus, is potentially affected by the following security issues : - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2374, CVE-2011-2375) - A use-after-free issue when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - It is possible for an image from a different domain to be loaded into a WebGL texture which could be used to steal image data from a different site. (CVE-2011-2366, CVE-2011-2598) - An out-of-bounds read issue and an invalid write issue could cause the application to crash. (CVE-2011-2367, CVE-2011-2368) - HTML-encoded entities are improperly decoded when displayed inside SVG elements which could lead to cross-site scripting attacks. (CVE-2011-2369) - It is possible for a non-whitelisted site to trigger an install dialog for add-ons and themes. (CVE-2011-2370) last seen 2020-06-01 modified 2020-06-02 plugin id 55419 published 2011-06-24 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55419 title Firefox < 5.0 Multiple Vulnerabilities (Mac OS X) code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(55419); script_version("1.13"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( "CVE-2011-2366", "CVE-2011-2367", "CVE-2011-2368", "CVE-2011-2369", "CVE-2011-2370", "CVE-2011-2371", "CVE-2011-2373", "CVE-2011-2374", "CVE-2011-2375", "CVE-2011-2377", "CVE-2011-2598" ); script_bugtraq_id( 48319, 48361, 48365, 48365, 48369, 48371, 48372, 48373, 48375, 48379, 48380 ); script_xref(name:"Secunia", value:"44982"); script_name(english:"Firefox < 5.0 Multiple Vulnerabilities (Mac OS X)"); script_summary(english:"Checks version of Firefox"); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Firefox is earlier than 5.0 and thus, is potentially affected by the following security issues : - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2374, CVE-2011-2375) - A use-after-free issue when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - It is possible for an image from a different domain to be loaded into a WebGL texture which could be used to steal image data from a different site. (CVE-2011-2366, CVE-2011-2598) - An out-of-bounds read issue and an invalid write issue could cause the application to crash. (CVE-2011-2367, CVE-2011-2368) - HTML-encoded entities are improperly decoded when displayed inside SVG elements which could lead to cross-site scripting attacks. (CVE-2011-2369) - It is possible for a non-whitelisted site to trigger an install dialog for add-ons and themes. (CVE-2011-2370)"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9382419d"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-19/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-20/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-21/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-22/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-25/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-26/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-27/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-28/"); script_set_attribute(attribute:"solution", value:"Upgrade to Firefox 5.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mozilla Firefox Array.reduceRight() Integer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("macosx_firefox_installed.nasl"); script_require_keys("MacOSX/Firefox/Installed"); exit(0); } include("mozilla_version.inc"); kb_base = "MacOSX/Firefox"; get_kb_item_or_exit(kb_base+"/Installed"); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'5.0', skippat:'^3\\.6\\.', severity:SECURITY_HOLE);
NASL family Windows NASL id MOZILLA_FIREFOX_50.NASL description The installed version of Firefox 4 is potentially affected by the following security issues : - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2374, CVE-2011-2375) - A use-after-free issue when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - It is possible for an image from a different domain to be loaded into a WebGL texture which could be used to steal image data from a different site. (CVE-2011-2366, CVE-2011-2598) - An out-of-bounds read issue and an invalid write issue could cause the application to crash. (CVE-2011-2367, CVE-2011-2368) - HTML-encoded entities are improperly decoded when displayed inside SVG elements which could lead to cross-site scripting attacks. (CVE-2011-2369) - It is possible for a non-whitelisted site to trigger an install dialog for add-ons and themes. (CVE-2011-2370) last seen 2020-06-01 modified 2020-06-02 plugin id 55288 published 2011-06-21 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55288 title Firefox 4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55288); script_version("1.18"); script_cvs_date("Date: 2018/07/16 14:09:14"); script_cve_id( "CVE-2011-2366", "CVE-2011-2367", "CVE-2011-2368", "CVE-2011-2369", "CVE-2011-2370", "CVE-2011-2371", "CVE-2011-2373", "CVE-2011-2374", "CVE-2011-2375", "CVE-2011-2377", "CVE-2011-2598" ); script_bugtraq_id( 48319, 48361, 48365, 48365, 48369, 48371, 48372, 48373, 48375, 48379, 48380 ); script_xref(name:"EDB-ID", value:"17974"); script_xref(name:"EDB-ID", value:"17976"); script_xref(name:"EDB-ID", value:"18531"); script_xref(name:"Secunia", value:"44982"); script_name(english:"Firefox 4 Multiple Vulnerabilities"); script_summary(english:"Checks version of Firefox"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host contains a web browser that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The installed version of Firefox 4 is potentially affected by the following security issues : - Multiple memory safety issues can lead to application crashes and possibly remote code execution. (CVE-2011-2374, CVE-2011-2375) - A use-after-free issue when viewing XUL documents with scripts disabled could lead to code execution. (CVE-2011-2373) - A memory corruption issue due to multipart / x-mixed-replace images could lead to memory corruption. (CVE-2011-2377) - When a JavaScript Array object has its length set to an extremely large value, the iteration of array elements that occurs when its reduceRight method is called could result in code execution due to an invalid index value being used. (CVE-2011-2371) - It is possible for an image from a different domain to be loaded into a WebGL texture which could be used to steal image data from a different site. (CVE-2011-2366, CVE-2011-2598) - An out-of-bounds read issue and an invalid write issue could cause the application to crash. (CVE-2011-2367, CVE-2011-2368) - HTML-encoded entities are improperly decoded when displayed inside SVG elements which could lead to cross-site scripting attacks. (CVE-2011-2369) - It is possible for a non-whitelisted site to trigger an install dialog for add-ons and themes. (CVE-2011-2370)"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9382419d"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-19/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-20/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-21/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-22/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-25/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-26/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-27/"); script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2011-28/"); script_set_attribute(attribute:"solution", value:"Upgrade to Firefox 5.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mozilla Firefox Array.reduceRight() Integer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("mozilla_org_installed.nasl"); script_require_keys("Mozilla/Firefox/Version"); exit(0); } include("mozilla_version.inc"); port = get_kb_item_or_exit("SMB/transport"); installs = get_kb_list("SMB/Mozilla/Firefox/*"); if (isnull(installs)) audit(AUDIT_NOT_INST, "Firefox"); mozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'5.0', skippat:'^3\\.6\\.', severity:SECURITY_HOLE);
Oval
accepted | 2014-10-06T04:01:19.480-04:00 | ||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||
description | The WebGL implementation in Mozilla Firefox 4.x allows remote attackers to obtain screenshots of the windows of arbitrary desktop applications via vectors involving an SVG filter, an IFRAME element, and uninitialized data in graphics memory. | ||||||||||||||||||||||||
family | windows | ||||||||||||||||||||||||
id | oval:org.mitre.oval:def:14207 | ||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||
submitted | 2011-11-25T18:18:44.000-05:00 | ||||||||||||||||||||||||
title | The WebGL implementation in Mozilla Firefox 4.x allows remote attackers to obtain screenshots of the windows of arbitrary desktop applications via vectors involving an SVG filter, an IFRAME element, and uninitialized data in graphics memory. | ||||||||||||||||||||||||
version | 26 |
References
- http://blog.mozilla.com/security/2011/06/16/webgl-graphics-memory-stealing-issue/
- http://www.contextis.com/resources/blog/webgl2/
- http://www.securityfocus.com/bid/48319
- http://www.theregister.co.uk/2011/06/16/webgl_security_threats_redux/
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14207