Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X) - Nessus

Critical   Plugin ID: 63542

---

This page contains detailed information about the Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 63542
Name: Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X)
Filename: macosx_firefox_10_0_12.nasl
Vulnerability Published: 2013-01-08
This Plugin Published: 2013-01-15
Last Modification Time: 2019-12-04
Plugin Version: 1.19
Plugin Type: local
Plugin Family: MacOS X Local Security Checks
Dependencies: macosx_firefox_installed.nasl
Required KB Items [?]: MacOSX/Firefox/Installed

Vulnerability Information

---

Severity: Critical
Vulnerability Published: 2013-01-08
Patch Published: 2013-01-08
CVE [?]: CVE-2013-0744, CVE-2013-0746, CVE-2013-0748, CVE-2013-0750, CVE-2013-0753, CVE-2013-0754, CVE-2013-0758, CVE-2013-0759, CVE-2013-0762, CVE-2013-0766, CVE-2013-0767, CVE-2013-0769
CPE [?]: cpe:/a:mozilla:firefox
Exploited by Malware: True

Synopsis

The remote Mac OS X host contains a web browser that is affected by multiple vulnerabilities.

Description

The installed version of Firefox is earlier than 10.0.12 and thus, is potentially affected by the following security issues :

- Two intermediate certificates were improperly issued by TURKTRUST certificate authority. (CVE-2013-0743)

- A use-after-free error exists related to displaying HTML tables with many columns and column groups. (CVE-2013-0744)

- An error exists related to 'jsval', 'quickstubs', and compartmental mismatches that could lead to potentially exploitable crashes. (CVE-2013-0746)

- An error related to the 'toString' method of XBL objects could lead to address information leakage. (CVE-2013-0748)

- A buffer overflow exists related to JavaScript string concatenation. (CVE-2013-0750)

- A use-after-free error exists related to 'XMLSerializer' and 'serializeToStream'. (CVE-2013-0753)

- A use-after-free error exists related to garbage collection and 'ListenManager'. (CVE-2013-0754)

- An error related to SVG elements and plugins could allow privilege escalation. (CVE-2013-0758)

- An error exists related to the address bar that could allow URL spoofing attacks. (CVE-2013-0759)

- Multiple, unspecified use-after-free, out-of-bounds read and buffer overflow errors exist. (CVE-2013-0762, CVE-2013-0766, CVE-2013-0767)

- An unspecified memory corruption issue exists. (CVE-2013-0769)

Please note the 10.x ESR branch will no longer be supported as of 02/13/2013. Only the 17.x ESR branch will receive security updates after that date.

Solution

Upgrade to Firefox 10.0.12 ESR or later.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X) vulnerability:

1. Metasploit: exploit/multi/browser/firefox_svg_plugin
   [Firefox 17.0.1 Flash Privileged Code Injection]
2. Metasploit: exploit/windows/browser/mozilla_firefox_xmlserializer
   [Firefox XMLSerializer Use After Free]
3. Exploit-DB: exploits/multiple/local/41683.rb
   [EDB-41683: Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)]
4. Exploit-DB: exploits/windows/remote/27940.rb
   [EDB-27940: Mozilla Firefox - XMLSerializer Use-After-Free (Metasploit)]
5. GitHub: https://github.com/evearias/ciberseguridad-Parcial
   [CVE-2013-0758]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2013-0769
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.7 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.7 (High)

Go back to menu.

Plugin Source

---

This is the macosx_firefox_10_0_12.nasl nessus plugin source code. This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(63542);
  script_version("1.19");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id(
    "CVE-2013-0744",
    "CVE-2013-0746",
    "CVE-2013-0748",
    "CVE-2013-0750",
    "CVE-2013-0753",
    "CVE-2013-0754",
    "CVE-2013-0758",
    "CVE-2013-0759",
    "CVE-2013-0762",
    "CVE-2013-0766",
    "CVE-2013-0767",
    "CVE-2013-0769"
  );
  script_bugtraq_id(
    57193,
    57194,
    57195,
    57203,
    57209,
    57217,
    57218,
    57228,
    57232,
    57234,
    57235,
    57238,
    57258
  );

  script_name(english:"Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X)");
  script_summary(english:"Checks version of Firefox");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The installed version of Firefox is earlier than 10.0.12 and thus, 
is potentially affected by the following security issues :

  - Two intermediate certificates were improperly issued by
    TURKTRUST certificate authority. (CVE-2013-0743)

  - A use-after-free error exists related to displaying
    HTML tables with many columns and column groups.
    (CVE-2013-0744)

  - An error exists related to 'jsval', 'quickstubs', and
    compartmental mismatches that could lead to potentially
    exploitable crashes. (CVE-2013-0746)

  - An error related to the 'toString' method of XBL
    objects could lead to address information leakage.
    (CVE-2013-0748)

  - A buffer overflow exists related to JavaScript string
    concatenation. (CVE-2013-0750)

  - A use-after-free error exists related to
    'XMLSerializer' and 'serializeToStream'.
    (CVE-2013-0753)

  - A use-after-free error exists related to garbage
    collection and 'ListenManager'. (CVE-2013-0754)

  - An error related to SVG elements and plugins could 
    allow privilege escalation. (CVE-2013-0758)

  - An error exists related to the address bar that could
    allow URL spoofing attacks. (CVE-2013-0759)

  - Multiple, unspecified use-after-free, out-of-bounds read
    and buffer overflow errors exist. (CVE-2013-0762,
    CVE-2013-0766, CVE-2013-0767)

  - An unspecified memory corruption issue exists.
    (CVE-2013-0769)

Please note the 10.x ESR branch will no longer be supported as of
02/13/2013.  Only the 17.x ESR branch will receive security updates
after that date.");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-003/");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-006/");
  script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-13-039/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-01/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-02/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-04/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-05/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-09/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-11/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-12/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-15/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-16/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-17/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-20/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Firefox 10.0.12 ESR or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-0769");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Firefox 17.0.1 Flash Privileged Code Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/01/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");
kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

mozilla_check_version(product:'firefox', version:version, path:path, esr:TRUE, fix:'10.0.12', severity:SECURITY_HOLE, xss:TRUE);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/macosx_firefox_10_0_12.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\macosx_firefox_10_0_12.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/macosx_firefox_10_0_12.nasl

Go back to menu.

How to Run

---

Here is how to run the Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select MacOS X Local Security Checks plugin family.
6. On the right side table select Firefox < 10.0.12 Multiple Vulnerabilities (Mac OS X) plugin ID 63542.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl macosx_firefox_10_0_12.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a macosx_firefox_10_0_12.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - macosx_firefox_10_0_12.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state macosx_firefox_10_0_12.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 57193, 57194, 57195, 57203, 57209, 57217, 57218, 57228, 57232, 57234, 57235, 57238, 57258

CWE | Common Weakness Enumeration:

• CWE-20 (Weakness) Improper Input Validation
• CWE-74 (Weakness) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
• CWE-79 (Weakness) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-442 (Category) DEPRECATED: Web Problems
• CWE-629 (View) Weaknesses in OWASP Top Ten (2007)
• CWE-711 (View) Weaknesses in OWASP Top Ten (2004)
• CWE-712 (Category) OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
• CWE-722 (Category) OWASP Top Ten 2004 Category A1 - Unvalidated Input
• CWE-725 (Category) OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
• CWE-750 (View) Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
• CWE-751 (Category) 2009 Top 25 - Insecure Interaction Between Components
• CWE-800 (View) Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
• CWE-801 (Category) 2010 Top 25 - Insecure Interaction Between Components
• CWE-809 (View) Weaknesses in OWASP Top Ten (2010)
• CWE-811 (Category) OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
• CWE-864 (Category) 2011 Top 25 - Insecure Interaction Between Components
• CWE-900 (View) Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
• CWE-928 (View) Weaknesses in OWASP Top Ten (2013)
• CWE-931 (Category) OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
• CWE-990 (Category) SFP Secondary Cluster: Tainted Input to Command

See also:

• https://www.tenable.com/plugins/nessus/63542
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-01/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-02/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-04/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-05/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-09/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-11/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-12/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-15/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-16/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-17/
• https://www.mozilla.org/en-US/security/advisories/mfsa2013-20/
• http://www.zerodayinitiative.com/advisories/ZDI-13-003/
• http://www.zerodayinitiative.com/advisories/ZDI-13-006/
• http://www.zerodayinitiative.com/advisories/ZDI-13-039/
• https://vulners.com/nessus/MACOSX_FIREFOX_10_0_12.NASL

Similar and related Nessus plugins:

• 63431 - CentOS 5 / 6 : firefox / xulrunner (CESA-2013:0144)
• 63432 - CentOS 5 / 6 : thunderbird (CESA-2013:0145)
• 63463 - FreeBSD : mozilla -- multiple vulnerabilities (a4ed6632-5aa9-11e2-8fcb-c8600054b392)
• 70183 - GLSA-201309-23 : Mozilla Products: Multiple vulnerabilities
• 63544 - Firefox ESR < 17.0.2 Multiple Vulnerabilities (Mac OS X)
• 63545 - Firefox < 18.0 Multiple Vulnerabilities (Mac OS X)
• 63546 - Thunderbird 10.x < 10.0.12 Multiple Vulnerabilities (Mac OS X)
• 63547 - Thunderbird < 17.0.2 Multiple Vulnerabilities (Mac OS X)
• 63548 - Firefox 10.x < 10.0.12 Multiple Vulnerabilities
• 63550 - Firefox ESR 17.x < 17.0.2 Multiple Vulnerabilities
• 63551 - Firefox < 18.0 Multiple Vulnerabilities
• 63552 - Mozilla Thunderbird 10.x < 10.0.12 Multiple Vulnerabilities
• 63553 - Mozilla Thunderbird < 17.0.2 Multiple Vulnerabilities
• 74918 - openSUSE Security Update : firefox / seamonkey / thunderbird (openSUSE-SU-2013:0149-1)
• 68707 - Oracle Linux 5 / 6 : firefox (ELSA-2013-0144)
• 68708 - Oracle Linux 6 : thunderbird (ELSA-2013-0145)
• 63445 - RHEL 5 / 6 : firefox (RHSA-2013:0144)
• 63446 - RHEL 5 / 6 : thunderbird (RHSA-2013:0145)
• 63554 - SeaMonkey < 2.15 Multiple Vulnerabilities
• 63471 - Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20130108)
• 63472 - Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64 (20130108)
• 64136 - SuSE 11.2 Security Update : MozillaFirefox (SAT Patch Number 7224)
• 63626 - SuSE 10 Security Update : MozillaFirefox (ZYPP Patch Number 8426)
• 83574 - SUSE SLES10 Security Update : Mozilla Firefox (SUSE-SU-2013:0306-1)
• 63447 - Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox vulnerabilities (USN-1681-1)
• 63448 - Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : thunderbird vulnerabilities (USN-1681-2)
• 63665 - Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox regression (USN-1681-3)
• 64480 - Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : firefox regression (USN-1681-4)
• 63533 - Fedora 18 : thunderbird-17.0.2-1.fc18 (2013-0589)
• 63624 - Fedora 17 : thunderbird-17.0.2-1.fc17 (2013-0653)
• 64398 - Fedora 16 : thunderbird-17.0.2-1.fc16 (2013-0723)
• 63661 - Fedora 16 : firefox-18.0-1.fc16 / xulrunner-18.0-6.fc16 (2013-0885)
• 63587 - Fedora 17 : firefox-18.0-1.fc17 / xulrunner-18.0-6.fc17 (2013-0891)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file macosx_firefox_10_0_12.nasl version 1.19. For more plugins, visit the Nessus Plugin Library.

Go back to menu.