Vulnerabilities > CVE-2016-9896 - Use After Free vulnerability in Mozilla Firefox

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
mozilla
CWE-416
nessus

Summary

Use-after-free while manipulating the "navigator" object within WebVR. Note: WebVR is not currently enabled by default. This vulnerability affects Firefox < 50.1.

Vulnerable Configurations

Part Description Count
Application
Mozilla
465

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FIREFOX_50_1.NASL
    descriptionThe version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 50.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory corruption issues exists when handling style contexts, regular expressions, and clamped gradients that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9080) - Multiple memory corruption issues exists, such as when handling document state changes or HTML5 content, or else due to dereferencing already freed memory or improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9893) - A buffer overflow condition exists in SkiaGl, within the GrResourceProvider::createBuffer() function in file gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a GrGLBuffer being truncated during allocation. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9894) - A security bypass vulnerability exists due to event handlers for marquee elements being executed despite a Content Security Policy (CSP) that disallowed inline JavaScript. An unauthenticated, remote attacker can exploit this to impact integrity. (CVE-2016-9895) - A use-after-free error exists within WebVR when handling the navigator object. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-9896) - A memory corruption issue exists in libGLES when WebGL functions use a vector constructor with a varying array within libGLES. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9897) - A use-after-free error exists in Editor, specifically within file editor/libeditor/HTMLEditor.cpp, when handling DOM subtrees. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9898) - A use-after-free error exists in the nsNodeUtils::CloneAndAdopt() function within file dom/base/nsNodeUtils.cpp, while manipulating DOM events and removing audio elements, due to improper handling of failing node adoption. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9899) - A security bypass vulnerability exists in the nsDataDocumentContentPolicy::ShouldLoad() function within file dom/base/nsDataDocumentContentPolicy.cpp that allows external resources to be inappropriately loaded by SVG images by utilizing
    last seen2020-06-01
    modified2020-06-02
    plugin id95884
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95884
    titleMozilla Firefox < 50.1 Multiple Vulnerabilities (macOS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(95884);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2016-9080",
        "CVE-2016-9893",
        "CVE-2016-9894",
        "CVE-2016-9895",
        "CVE-2016-9896",
        "CVE-2016-9897",
        "CVE-2016-9898",
        "CVE-2016-9899",
        "CVE-2016-9900",
        "CVE-2016-9901",
        "CVE-2016-9902",
        "CVE-2016-9903",
        "CVE-2016-9904"
      );
      script_bugtraq_id(94883, 94885);
      script_xref(name:"MFSA", value:"2016-94");
    
      script_name(english:"Mozilla Firefox < 50.1 Multiple Vulnerabilities (macOS)");
      script_summary(english:"Checks the version of Firefox.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote macOS or Mac OS X host contains a web browser that is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Mozilla Firefox installed on the remote macOS or Mac
    OS X host is prior to 50.1. It is, therefore, affected by the
    following vulnerabilities :
    
      - Multiple memory corruption issues exists when handling
        style contexts, regular expressions, and clamped
        gradients that allow an unauthenticated, remote attacker
        to cause a denial of service condition or the execution
        of arbitrary code. (CVE-2016-9080)
    
      - Multiple memory corruption issues exists, such as when
        handling document state changes or HTML5 content, or
        else due to dereferencing already freed memory or
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit these to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2016-9893)
    
      - A buffer overflow condition exists in SkiaGl, within the
        GrResourceProvider::createBuffer() function in file
        gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a
        GrGLBuffer being truncated during allocation. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2016-9894)
    
      - A security bypass vulnerability exists due to event
        handlers for marquee elements being executed despite a
        Content Security Policy (CSP) that disallowed inline
        JavaScript. An unauthenticated, remote attacker can
        exploit this to impact integrity. (CVE-2016-9895)
    
      - A use-after-free error exists within WebVR when handling
        the navigator object. An unauthenticated, remote
        attacker can exploit this to dereference already freed
        memory, resulting in the execution of arbitrary code.
        (CVE-2016-9896)
    
      - A memory corruption issue exists in libGLES when WebGL
        functions use a vector constructor with a varying array
        within libGLES. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition or
        the execution of arbitrary code. (CVE-2016-9897)
    
      - A use-after-free error exists in Editor, specifically
        within file editor/libeditor/HTMLEditor.cpp, when
        handling DOM subtrees. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the execution of arbitrary code.
        (CVE-2016-9898)
    
      - A use-after-free error exists in the
        nsNodeUtils::CloneAndAdopt() function within file
        dom/base/nsNodeUtils.cpp, while manipulating DOM events
        and removing audio elements, due to improper handling of
        failing node adoption. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition or the execution of arbitrary code.
        (CVE-2016-9899)
    
      - A security bypass vulnerability exists in the
        nsDataDocumentContentPolicy::ShouldLoad() function
        within file dom/base/nsDataDocumentContentPolicy.cpp
        that allows external resources to be inappropriately
        loaded by SVG images by utilizing 'data:' URLs. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive cross-domain information.
        (CVE-2016-9900)
    
      - A flaw exists due to improper sanitization of HTML tags
        received from the Pocket server. An unauthenticated,
        remote attacker can exploit this to run JavaScript code
        in the about:pocket-saved (unprivileged) page, giving it
        access to Pocket's messaging API through HTML injection.
        (CVE-2016-9901)
    
      - A flaw exists in the Pocket toolbar button, specifically
        in browser/extensions/pocket/content/main.js, due to
        improper verification of the origin of events fired from
        its own pages. An unauthenticated, remote attacker can
        exploit this to inject content and commands from other
        origins into the Pocket context. Note that this issue
        does not affect users with e10s enabled. (CVE-2016-9902)
    
      - A universal cross-site scripting (XSS) vulnerability
        exists in the Add-ons SDK, specifically within files
        addon-sdk/source/lib/sdk/ui/frame/view.html and
        addon-sdk/source/lib/sdk/ui/frame/view.js, due to
        improper validation of input before returning it to
        users. An unauthenticated, remote attacker can exploit
        this, via a specially crafted request, to execute
        arbitrary script code in a user's browser session.
        (CVE-2016-9903)
    
      - An information disclosure vulnerability exists that
        allows an unauthenticated, remote attacker to determine
        whether an atom is used by another compartment or zone
        in specific contexts, by utilizing a JavaScript Map/Set
        timing attack. (CVE-2016-9904)");
      script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mozilla Firefox version 50.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9901");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_firefox_installed.nasl");
      script_require_keys("MacOSX/Firefox/Installed");
    
      exit(0);
    }
    
    include("mozilla_version.inc");
    
    kb_base = "MacOSX/Firefox";
    get_kb_item_or_exit(kb_base+"/Installed");
    
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    
    if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');
    
    mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'50.1', severity:SECURITY_HOLE);
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3155-1.NASL
    descriptionMultiple security vulnerabilities were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903, CVE-2016-9904). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id95807
    published2016-12-14
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95807
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3155-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_512C0FFDCD394DA4B2DC81FF4BA8E238.NASL
    descriptionMozilla Foundation reports : CVE-2016-9894: Buffer overflow in SkiaGL CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements CVE-2016-9895: CSP bypass using marquee tag CVE-2016-9896: Use-after-free with WebVR CVE-2016-9897: Memory corruption in libGLES CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs CVE-2016-9904: Cross-origin information leak in shared atoms CVE-2016-9901: Data from Pocket server improperly sanitized before execution CVE-2016-9902: Pocket extension does not validate the origin of events CVE-2016-9903: XSS injection vulnerability in add-ons SDK CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
    last seen2020-06-01
    modified2020-06-02
    plugin id95814
    published2016-12-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95814
    titleFreeBSD : mozilla -- multiple vulnerabilities (512c0ffd-cd39-4da4-b2dc-81ff4ba8e238)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1534.NASL
    descriptionThis update to MozillaFirefox 50.1.0 fixes the following vulnerabilities : - CVE-2016-9894: Buffer overflow in SkiaGL - CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - CVE-2016-9895: CSP bypass using marquee tag - CVE-2016-9896: Use-after-free with WebVR - CVE-2016-9897: Memory corruption in libGLES - CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - CVE-2016-9904: Cross-origin information leak in shared atoms - CVE-2016-9901: Data from Pocket server improperly sanitized before execution - CVE-2016-9902: Pocket extension does not validate the origin of events - CVE-2016-9903: XSS injection vulnerability in add-ons SDK - CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 The following bugs were fixed : - boo#1011922: fix crash after a few seconds of usage on AArch64
    last seen2020-06-05
    modified2017-01-03
    plugin id96248
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96248
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2016-1534)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1490.NASL
    descriptionThis update to MozillaFirefox 50.1.0 fixes the following vulnerabilities : - CVE-2016-9894: Buffer overflow in SkiaGL - CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements - CVE-2016-9895: CSP bypass using marquee tag - CVE-2016-9896: Use-after-free with WebVR - CVE-2016-9897: Memory corruption in libGLES - CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees - CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs - CVE-2016-9904: Cross-origin information leak in shared atoms - CVE-2016-9901: Data from Pocket server improperly sanitized before execution - CVE-2016-9902: Pocket extension does not validate the origin of events - CVE-2016-9903: XSS injection vulnerability in add-ons SDK - CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1 - CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6 The following bugs were fixed : - boo#1011922: fix crash after a few seconds of usage on AArch64
    last seen2020-06-05
    modified2016-12-20
    plugin id96030
    published2016-12-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96030
    titleopenSUSE Security Update : MozillaFirefox (openSUSE-2016-1490)
  • NASL familyWindows
    NASL idMOZILLA_FIREFOX_50_1.NASL
    descriptionThe version of Mozilla Firefox installed on the remote Windows host is prior to 50.1. It is, therefore, affected by the following vulnerabilities : - Multiple memory corruption issues exists when handling style contexts, regular expressions, and clamped gradients that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9080) - Multiple memory corruption issues exists, such as when handling document state changes or HTML5 content, or else due to dereferencing already freed memory or improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9893) - A buffer overflow condition exists in SkiaGl, within the GrResourceProvider::createBuffer() function in file gfx/skia/skia/src/gpu/GrResourceProvider.cpp, due to a GrGLBuffer being truncated during allocation. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9894) - A security bypass vulnerability exists due to event handlers for marquee elements being executed despite a Content Security Policy (CSP) that disallowed inline JavaScript. An unauthenticated, remote attacker can exploit this to impact integrity. (CVE-2016-9895) - A use-after-free error exists within WebVR when handling the navigator object. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-9896) - A memory corruption issue exists in libGLES when WebGL functions use a vector constructor with a varying array within libGLES. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9897) - A use-after-free error exists in Editor, specifically within file editor/libeditor/HTMLEditor.cpp, when handling DOM subtrees. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9898) - A use-after-free error exists in the nsNodeUtils::CloneAndAdopt() function within file dom/base/nsNodeUtils.cpp, while manipulating DOM events and removing audio elements, due to improper handling of failing node adoption. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9899) - A security bypass vulnerability exists in the nsDataDocumentContentPolicy::ShouldLoad() function within file dom/base/nsDataDocumentContentPolicy.cpp that allows external resources to be inappropriately loaded by SVG images by utilizing
    last seen2020-06-01
    modified2020-06-02
    plugin id95886
    published2016-12-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95886
    titleMozilla Firefox < 50.1 Multiple Vulnerabilities