Firefox < 22.0 Multiple Vulnerabilities (Mac OS X) - Nessus

Critical   Plugin ID: 66989

This page contains detailed information about the Firefox < 22.0 Multiple Vulnerabilities (Mac OS X) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 66989
Name: Firefox < 22.0 Multiple Vulnerabilities (Mac OS X)
Filename: macosx_firefox_22.nasl
Vulnerability Published: 2013-06-25
This Plugin Published: 2013-06-26
Last Modification Time: 2022-03-29
Plugin Version: 1.15
Plugin Type: local
Plugin Family: MacOS X Local Security Checks
Dependencies: macosx_firefox_installed.nasl
Required KB Items [?]: MacOSX/Firefox/Installed

Vulnerability Information

Severity: Critical
Vulnerability Published: 2013-06-25
Patch Published: 2013-06-25
CVE [?]: CVE-2013-1682, CVE-2013-1683, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1688, CVE-2013-1690, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694, CVE-2013-1695, CVE-2013-1696, CVE-2013-1697, CVE-2013-1698, CVE-2013-1699
CPE [?]: cpe:/a:mozilla:firefox
Exploited by Malware: True

Synopsis

The remote Mac OS X host contains a web browser that is potentially affected by multiple vulnerabilities.

Description

The installed version of Firefox is earlier than 22.0 and is, therefore, potentially affected by multiple vulnerabilities :

- Various, unspecified memory safety issues exist. (CVE-2013-1682, CVE-2013-1683)

- Heap-use-after-free errors exist related to 'LookupMediaElementURITable', 'nsIDocument::GetRootElement' and 'mozilla::ResetDir'. (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)

- An error exists related to 'XBL scope', 'System Only Wrappers' (SOW) and chrome-privileged pages that could allow cross-site scripting attacks. (CVE-2013-1687)

- An error exists related to the 'profiler' that could allow arbitrary code execution. (CVE-2013-1688)

- An error related to 'onreadystatechange' and unmapped memory could cause application crashes and allow arbitrary code execution. (CVE-2013-1690)

- The application sends data in the body of XMLHttpRequest (XHR) HEAD requests and could aid in cross-site request forgery attacks. (CVE-2013-1692)

- An error related to the processing of SVG content could allow a timing attack to disclose information across domains. (CVE-2013-1693)

- An error exists related to 'PreserveWrapper' and the 'preserved-wrapper' flag that could cause potentially exploitable application crashes. (CVE-2013-1694)

- An error exists related to '<iframe sandbox>' restrictions that could allow a bypass of these restrictions. (CVE-2013-1695)

- The 'X-Frame-Options' header is ignored in certain situations and can aid in click-jacking attacks. (CVE-2013-1696)

- An error exists related to the 'toString' and 'valueOf' methods that could allow 'XrayWrappers' to be bypassed. (CVE-2013-1697)

- An error exists related to the 'getUserMedia' permission dialog that could allow a user to be tricked into giving access to unintended domains. (CVE-2013-1698)

- Homograph domain spoofing protection is incomplete and certain attacks are still possible using Internationalized Domain Names (IDN). (CVE-2013-1699)

Solution

Upgrade to Firefox 22.0 or later.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Firefox < 22.0 Multiple Vulnerabilities (Mac OS X) vulnerability:

  1. Metasploit: exploit/windows/browser/mozilla_firefox_onreadystatechange
    [Firefox onreadystatechange Event DocumentViewerImpl Use After Free]
  2. Exploit-DB: exploits/windows/remote/27429.rb
    [EDB-27429: Mozilla Firefox - onreadystatechange Event DocumentViewerImpl Use-After-Free (Metasploit)]
  3. GitHub: https://github.com/vlad902/annotated-fbi-tbb-exploit
    [CVE-2013-1690: Annotated FBI exploit for the Tor Browser Bundle from mid-2013 (CVE-2013-1690)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2013-1686
CVSS V2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.7 (High)

Go back to menu.

Plugin Source

This is the macosx_firefox_22.nasl nessus plugin source code. This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(66989);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/29");

  script_cve_id(
    "CVE-2013-1682",
    "CVE-2013-1683",
    "CVE-2013-1684",
    "CVE-2013-1685",
    "CVE-2013-1686",
    "CVE-2013-1687",
    "CVE-2013-1688",
    "CVE-2013-1690",
    "CVE-2013-1692",
    "CVE-2013-1693",
    "CVE-2013-1694",
    "CVE-2013-1695",
    "CVE-2013-1696",
    "CVE-2013-1697",
    "CVE-2013-1698",
    "CVE-2013-1699"
  );
  script_bugtraq_id(
    60765,
    60766,
    60768,
    60773,
    60774,
    60776,
    60777,
    60778,
    60779,
    60783,
    60784,
    60785,
    60787,
    60788,
    60789,
    60790
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/18");

  script_name(english:"Firefox < 22.0 Multiple Vulnerabilities (Mac OS X)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host contains a web browser that is potentially
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The installed version of Firefox is earlier than 22.0 and is,
therefore, potentially affected by multiple vulnerabilities :

  - Various, unspecified memory safety issues exist.
    (CVE-2013-1682, CVE-2013-1683)

  - Heap-use-after-free errors exist related to
    'LookupMediaElementURITable',
    'nsIDocument::GetRootElement' and 'mozilla::ResetDir'.
    (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686)

  - An error exists related to 'XBL scope', 'System Only
    Wrappers' (SOW) and chrome-privileged pages that could
    allow cross-site scripting attacks. (CVE-2013-1687)

  - An error exists related to the 'profiler' that could
    allow arbitrary code execution. (CVE-2013-1688)

  - An error related to 'onreadystatechange' and unmapped
    memory could cause application crashes and allow
    arbitrary code execution. (CVE-2013-1690)

  - The application sends data in the body of XMLHttpRequest
    (XHR) HEAD requests and could aid in cross-site request
    forgery attacks. (CVE-2013-1692)

  - An error related to the processing of SVG content could
    allow a timing attack to disclose information across
    domains. (CVE-2013-1693)

  - An error exists related to 'PreserveWrapper' and the
    'preserved-wrapper' flag that could cause potentially
    exploitable application crashes. (CVE-2013-1694)

  - An error exists related to '<iframe sandbox>'
    restrictions that could allow a bypass of these
    restrictions. (CVE-2013-1695)

  - The 'X-Frame-Options' header is ignored in certain
    situations and can aid in click-jacking attacks.
    (CVE-2013-1696)

  - An error exists related to the 'toString' and 'valueOf'
    methods that could allow 'XrayWrappers' to be bypassed.
    (CVE-2013-1697)

  - An error exists related to the 'getUserMedia'
    permission dialog that could allow a user to be tricked
    into giving access to unintended domains.
    (CVE-2013-1698)

  - Homograph domain spoofing protection is incomplete and
    certain attacks are still possible using
    Internationalized Domain Names (IDN). (CVE-2013-1699)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-49/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-50/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-51/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-52/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-54/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-55/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-56/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-57/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-58/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-59/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-60/");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2013-61/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Firefox 22.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1686");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Firefox onreadystatechange Event DocumentViewerImpl Use After Free');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'22.0', severity:SECURITY_HOLE, xss:TRUE, xsrf:TRUE);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/macosx_firefox_22.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\macosx_firefox_22.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/macosx_firefox_22.nasl

Go back to menu.

How to Run

Here is how to run the Firefox < 22.0 Multiple Vulnerabilities (Mac OS X) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select MacOS X Local Security Checks plugin family.
  6. On the right side table select Firefox < 22.0 Multiple Vulnerabilities (Mac OS X) plugin ID 66989.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl macosx_firefox_22.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a macosx_firefox_22.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - macosx_firefox_22.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state macosx_firefox_22.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: CWE | Common Weakness Enumeration:
  • CWE-20 (Weakness) Improper Input Validation
  • CWE-74 (Weakness) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-79 (Weakness) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-442 (Category) DEPRECATED: Web Problems
  • CWE-629 (View) Weaknesses in OWASP Top Ten (2007)
  • CWE-711 (View) Weaknesses in OWASP Top Ten (2004)
  • CWE-712 (Category) OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
  • CWE-722 (Category) OWASP Top Ten 2004 Category A1 - Unvalidated Input
  • CWE-725 (Category) OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
  • CWE-750 (View) Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
  • CWE-751 (Category) 2009 Top 25 - Insecure Interaction Between Components
  • CWE-800 (View) Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
  • CWE-801 (Category) 2010 Top 25 - Insecure Interaction Between Components
  • CWE-809 (View) Weaknesses in OWASP Top Ten (2010)
  • CWE-811 (Category) OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
  • CWE-864 (Category) 2011 Top 25 - Insecure Interaction Between Components
  • CWE-900 (View) Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors
  • CWE-928 (View) Weaknesses in OWASP Top Ten (2013)
  • CWE-931 (Category) OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
  • CWE-990 (Category) SFP Secondary Cluster: Tainted Input to Command
See also: Similar and related Nessus plugins:
  • 66996 - CentOS 5 / 6 : firefox / xulrunner (CESA-2013:0981)
  • 66997 - CentOS 5 / 6 : thunderbird (CESA-2013:0982)
  • 67101 - Debian DSA-2716-1 : iceweasel - several vulnerabilities
  • 67201 - Debian DSA-2720-1 : icedove - several vulnerabilities
  • 66999 - FreeBSD : mozilla -- multiple vulnerabilities (b3fcb387-de4b-11e2-b1c6-0025905a4771)
  • 70183 - GLSA-201309-23 : Mozilla Products: Multiple vulnerabilities
  • 66988 - Firefox ESR 17.x < 17.0.7 Multiple Vulnerabilities (Mac OS X)
  • 66991 - Thunderbird ESR 17.x < 17.0.7 Multiple Vulnerabilities (Mac OS X)
  • 66990 - Thunderbird < 17.0.7 Multiple Vulnerabilities (Mac OS X)
  • 66992 - Firefox ESR 17.x < 17.0.7 Multiple Vulnerabilities
  • 66993 - Firefox < 22.0 Multiple Vulnerabilities
  • 66995 - Mozilla Thunderbird ESR 17.x < 17.0.7 Multiple Vulnerabilities
  • 66994 - Mozilla Thunderbird < 17.0.7 Multiple Vulnerabilities
  • 75071 - openSUSE Security Update : MozillaThunderbird (openSUSE-SU-2013:1141-1)
  • 75072 - openSUSE Security Update : xulrunner (openSUSE-SU-2013:1143-1)
  • 75073 - openSUSE Security Update : MozillaFirefox (openSUSE-SU-2013:1142-1)
  • 75081 - openSUSE Security Update : seamonkey (openSUSE-SU-2013:1180-1)
  • 68839 - Oracle Linux 5 / 6 : firefox (ELSA-2013-0981)
  • 68840 - Oracle Linux 6 : thunderbird (ELSA-2013-0982)
  • 66979 - RHEL 5 / 6 : firefox (RHSA-2013:0981)
  • 66980 - RHEL 5 / 6 : thunderbird (RHSA-2013:0982)
  • 66983 - Scientific Linux Security Update : firefox on SL5.x, SL6.x i386/x86_64 (20130625)
  • 66984 - Scientific Linux Security Update : thunderbird on SL5.x, SL6.x i386/x86_64 (20130625)
  • 67195 - SuSE 11.2 Security Update : Mozilla Firefox (SAT Patch Number 7976)
  • 68949 - SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 8001)
  • 67198 - SuSE 10 Security Update : Mozilla Firefox (ZYPP Patch Number 8636)
  • 67000 - Ubuntu 12.04 LTS / 12.10 / 13.04 : firefox vulnerabilities (USN-1890-1)
  • 67186 - Ubuntu 12.04 LTS / 12.10 / 13.04 : firefox regression (USN-1890-2)
  • 67001 - Ubuntu 12.04 LTS / 12.10 / 13.04 : thunderbird vulnerabilities (USN-1891-1)
  • 23942 - CentOS 4 : Firefox (CESA-2006:0758)
  • 67323 - Fedora 18 : firefox-22.0-1.fc18 / thunderbird-17.0.7-1.fc18 / xulrunner-22.0-1.fc18 (2013-11776)
  • 67325 - Fedora 17 : firefox-22.0-1.fc17 / thunderbird-17.0.7-1.fc17 / xulrunner-22.0-1.fc17 (2013-11799)
  • 67430 - Oracle Linux 4 : firefox (ELSA-2006-0758)
  • 23960 - RHEL 4 : firefox (RHSA-2006:0758)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file macosx_firefox_22.nasl version 1.15. For more plugins, visit the Nessus Plugin Library.

Go back to menu.