Mozilla Firefox/Thunderbird up to 2.x _cairo_pen_init stroke-width memory corruption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.0 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in Mozilla Firefox and Thunderbird up to 2.x and classified as critical. Impacted is the function _cairo_pen_init. This manipulation of the argument stroke-width causes memory corruption.
This vulnerability is tracked as CVE-2007-0776. No exploit exists.
The affected component should be upgraded.
Details
A vulnerability classified as critical was found in Mozilla Firefox and Thunderbird up to 2.x (Web Browser). Affected by this vulnerability is the function _cairo_pen_init. The manipulation of the argument stroke-width with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Heap-based buffer overflow in the _cairo_pen_init function in Mozilla Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to execute arbitrary code via a large stroke-width attribute in the clipPath element in an SVG file.
The bug was discovered 02/23/2007. The weakness was disclosed 02/23/2007 by Tom Ferris (moz_bug_r_a4) with Martijn Wargers as confirmed advisory (CERT.org). It is possible to read the advisory at kb.cert.org. This vulnerability is known as CVE-2007-0776 since 02/06/2007. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit.
It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 24716 (Fedora Core 5 : firefox-1.5.0.10-1.fc5 (2007-281)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Fedora Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 165087 (SUSE Security Update for Mozilla Firefox,SeaMonkey (SUSE-SA:2007:019)).
Upgrading to version 2.x eliminates this vulnerability. A possible mitigation has been published 3 days after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 8954.
The vulnerability is also documented in the databases at X-Force (32698), Tenable (24716), SecurityFocus (BID 22694†), OSVDB (32113†) and Secunia (SA24205†). The entries VDB-2704, VDB-2963, VDB-35235 and VDB-35232 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.0
VulDB Base Score: 10.0
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Memory corruptionCWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 24716
Nessus Name: Fedora Core 5 : firefox-1.5.0.10-1.fc5 (2007-281)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 58054
OpenVAS Name: FreeBSD Ports: firefox
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Firefox/Thunderbird 2.x
TippingPoint: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
02/06/2007 🔍02/23/2007 🔍
02/23/2007 🔍
02/23/2007 🔍
02/23/2007 🔍
02/24/2007 🔍
02/24/2007 🔍
02/24/2007 🔍
02/26/2007 🔍
02/26/2007 🔍
02/27/2007 🔍
03/04/2007 🔍
03/13/2015 🔍
01/12/2025 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: kb.cert.org
Researcher: Tom Ferris (moz_bug_r_a4)
Organization: Martijn Wargers
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2007-0776 (🔍)
GCVE (CVE): GCVE-0-2007-0776
GCVE (VulDB): GCVE-100-35227
CERT: 🔍
X-Force: 32698
SecurityFocus: 22694 - Mozilla Thunderbird/SeaMonkey/Firefox Multiple Remote Vulnerabilities
Secunia: 24205 - Mozilla Firefox Multiple Vulnerabilities, Highly Critical
OSVDB: 32113 - Mozilla Firefox SVG _cairo_pen_init Heap Overflow
SecurityTracker: 1017698
Vulnerability Center: 14501 - Mozilla Firefox 2-2.0.0.1 Heap-Based Buffer Overflow Remote Code Execution, Medium
Vupen: ADV-2007-0719
See also: 🔍
Entry
Created: 03/13/2015 12:16Updated: 01/12/2025 17:28
Changes: 03/13/2015 12:16 (98), 07/16/2019 08:05 (2), 01/12/2025 17:28 (16)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.