Vulnerabilities > CVE-2017-5409 - Improper Privilege Management vulnerability in Mozilla Firefox
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The Mozilla Windows updater can be called by a non-privileged user to delete an arbitrary local file by passing a special path to the callback parameter through the Mozilla Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 45.8 and Firefox < 52.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_96ECA03113134DAF9BE29D6E1C4F1EB5.NASL description Mozilla Foundation reports : Please reference CVE/URL list for details last seen 2020-06-01 modified 2020-06-02 plugin id 97592 published 2017-03-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97592 title FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5) NASL family Windows NASL id MOZILLA_FIREFOX_45_8_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 45.8. It is, therefore, affected by multiple vulnerabilities : - Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5398) - JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5400) - A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. (CVE-2017-5401) - A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. (CVE-2017-5402) - A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. (CVE-2017-5404) - Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. (CVE-2017-5405) - Using SVG filters that don last seen 2020-06-01 modified 2020-06-02 plugin id 97638 published 2017-03-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97638 title Mozilla Firefox ESR < 45.8 Multiple Vulnerabilities NASL family Windows NASL id MOZILLA_FIREFOX_52.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities : - Mozilla developers and community members Boris Zbarsky, Christian Holler, Honza Bambas, Jon Coppeard, Randell Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd reported memory safety bugs present in Firefox 51 and Firefox ESR 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5398) - Mozilla developers and community members Carsten Book, Calixte Denizet, Christian Holler, Andrew McCreight, David Bolter, David Keeler, Jon Coppeard, Tyson Smith, Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed Davis, Julian Seward, Julian Hector, Philipp, Markus Stange, and Andre Bargull reported memory safety bugs present in Firefox 51. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. (CVE-2017-5399) - JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. (CVE-2017-5400) - A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable. (CVE-2017-5401) - A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. (CVE-2017-5402) - When adding a range to an object in the DOM, it is possible to use addRange to add the range to an incorrect root object. This triggers a use-after-free, resulting in a potentially exploitable crash. (CVE-2017-5403) - A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. (CVE-2017-5404) - Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. (CVE-2017-5405) - A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. (CVE-2017-5406) - Using SVG filters that don last seen 2020-06-01 modified 2020-06-02 plugin id 97639 published 2017-03-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97639 title Mozilla Firefox < 52.0 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0732-1.NASL description This update for MozillaFirefox to ESR 45.8 fixes the following issues: Security issues fixed (bsc#1028391) : - CVE-2017-5402: Use-after-free working with events in FontFace objects - CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP - CVE-2017-5401: Memory Corruption when handling ErrorResult - CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters - CVE-2017-5404: Use-after-free working with ranges in selections - CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports - CVE-2017-5408: Cross-origin reading of video captions in violation of CORS - CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service - CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 Bugfixes : - fix crashes on Itanium (bsc#1027527) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97832 published 2017-03-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97832 title SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:0732-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0714-1.NASL description This update for MozillaFirefox to ESR 45.8 fixes the following issues: Security issues fixed (bsc#1028391) : - CVE-2017-5402: Use-after-free working with events in FontFace objects - CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP - CVE-2017-5401: Memory Corruption when handling ErrorResult - CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters - CVE-2017-5404: Use-after-free working with ranges in selections - CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports - CVE-2017-5408: Cross-origin reading of video captions in violation of CORS - CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service - CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97825 published 2017-03-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97825 title SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2017:0714-1)
References
- http://www.securityfocus.com/bid/96696
- http://www.securityfocus.com/bid/96696
- http://www.securitytracker.com/id/1037966
- http://www.securitytracker.com/id/1037966
- https://bugzilla.mozilla.org/show_bug.cgi?id=1321814
- https://bugzilla.mozilla.org/show_bug.cgi?id=1321814
- https://www.mozilla.org/security/advisories/mfsa2017-05/
- https://www.mozilla.org/security/advisories/mfsa2017-05/
- https://www.mozilla.org/security/advisories/mfsa2017-06/
- https://www.mozilla.org/security/advisories/mfsa2017-06/