// For flags

CVE-2010-1121

Mozilla Firefox Cross Document DOM Node Moving Remote Code Execution Vulnerability

Severity Score

10.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010.

Firefox de Mozilla versiones 3.6.x anteriores a 3.6.3, no administra apropiadamente los ámbitos de los nodos DOM que son movidos de un documento a otro, lo que permite a los atacantes remotos conducir ataques de uso de memoria previamente liberada y ejecutar código arbitrario por medio de vectores no especificados que implican una interacción inapropiada con garbage collection, como es demostrado por Nils durante una competencia de Pwn2Own en CanSecWest 2010.

This vulnerability allows remote attackers to bypass specific script execution enforcements on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists when moving DOM nodes in between documents with a specific timing while triggering garbage collection. If timed correctly Firefox will incorrectly reference a previously freed object which can be leveraged by an attacker to execute arbitrary code under the context of the current user.

*Credits: Nils of MWR InfoSecurity (http://twitter.com/MWRlabs)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2010-03-25 CVE Reserved
  • 2010-03-25 CVE Published
  • 2024-06-27 EPSS Updated
  • 2024-08-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (26)
URL Tag Source
http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 X_refsource_misc
http://news.cnet.com/8301-27080_3-20001126-245.html X_refsource_misc
http://support.avaya.com/css/P8/documents/100091069 X_refsource_confirm
http://twitter.com/thezdi/statuses/11005277222 X_refsource_misc
http://www.securitytracker.com/id?1023817 Vdb Entry
http://www.vupen.com/english/advisories/2010/1592 Vdb Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=555109 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10924 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6844 Signature
URL Date SRC
URL Date SRC
URL Date SRC
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043369.html 2017-09-19
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043405.html 2017-09-19
http://lists.opensuse.org/opensuse-security-announce/2010-07/msg00005.html 2017-09-19
http://secunia.com/advisories/40323 2017-09-19
http://secunia.com/advisories/40326 2017-09-19
http://secunia.com/advisories/40401 2017-09-19
http://secunia.com/advisories/40481 2017-09-19
http://ubuntu.com/usn/usn-930-1 2017-09-19
http://www.mozilla.org/security/announce/2010/mfsa2010-25.html 2017-09-19
http://www.redhat.com/support/errata/RHSA-2010-0500.html 2017-09-19
http://www.redhat.com/support/errata/RHSA-2010-0501.html 2017-09-19
http://www.ubuntu.com/usn/usn-930-2 2017-09-19
http://www.vupen.com/english/advisories/2010/1557 2017-09-19
http://www.vupen.com/english/advisories/2010/1640 2017-09-19
http://www.vupen.com/english/advisories/2010/1773 2017-09-19
https://access.redhat.com/security/cve/CVE-2010-1121 2010-06-22
https://bugzilla.redhat.com/show_bug.cgi?id=577029 2010-06-22
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mozilla
Search vendor "Mozilla"
 Firefox
Search vendor "Mozilla" for product "Firefox"
 3.6
Search vendor "Mozilla" for product "Firefox" and version "3.6"
-
Affected
Mozilla
Search vendor "Mozilla"
 Firefox
Search vendor "Mozilla" for product "Firefox"
 3.6.1
Search vendor "Mozilla" for product "Firefox" and version "3.6.1"
-
Affected
Mozilla
Search vendor "Mozilla"
 Firefox
Search vendor "Mozilla" for product "Firefox"
 3.6.2
Search vendor "Mozilla" for product "Firefox" and version "3.6.2"
-
Affected