Stack-based buffer overflow in maintenanceservice.exe in the Mozilla Maintenance Service in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via a long pathname on the command line.

This update to Firefox 17.0.8esr (bnc#833389) addresses :

  - (bmo#855331, bmo#844088, bmo#858060, bmo#870200,     bmo#874974, bmo#861530, bmo#854157, bmo#893684,     bmo#878703, bmo#862185, bmo#879139, bmo#888107,     bmo#880734). (MFSA 2013-63 / CVE-2013-1701 /     CVE-2013-1702)

Miscellaneous memory safety hazards have been fixed (rv:23.0 / rv:17.0.8) :

  - (bmo#888314, bmo#888361) Buffer overflow in Mozilla     Maintenance Service and Mozilla Updater. (MFSA 2013-66 /     CVE-2013-1706 / CVE-2013-1707)

  - (bmo#848253) Document URI misrepresentation and     masquerading. (MFSA 2013-68 / CVE-2013-1709)

  - (bmo#871368) CRMF requests allow for code execution and     XSS attacks. (MFSA 2013-69 / CVE-2013-1710)

  - (bmo#859072) Further Privilege escalation through     Mozilla Updater. (MFSA 2013-71 / CVE-2013-1712)

  - (bmo#887098) Wrong principal used for validating URI for     some JavaScript components. (MFSA 2013-72 /     CVE-2013-1713)

  - (bmo#879787) Same-origin bypass with web workers and     XMLHttpRequest. (MFSA 2013-73 / CVE-2013-1714)

  - (bmo#406541) Local Java applets may read contents of     local file system. (MFSA 2013-75 / CVE-2013-1717)

The Mozilla Project reports :

MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

MFSA 2013-64 Use after free mutating DOM during SetBody

MFSA 2013-65 Buffer underflow when generating CRMF requests

MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater

MFSA 2013-67 Crash during WAV audio file decoding

MFSA 2013-68 Document URI misrepresentation and masquerading

MFSA 2013-69 CRMF requests allow for code execution and XSS attacks

MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes

MFSA 2013-71 Further Privilege escalation through Mozilla Updater

MFSA 2013-72 Wrong principal used for validating URI for some JavaScript components

MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest

MFSA 2013-74 Firefox full and stub installer DLL hijacking

MFSA 2013-75 Local Java applets may read contents of local file system

Versions of Mozilla Firefox earlier than version 23.0 are prone to the following vulnerabilities:

  - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)

  - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)

  - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)

  - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)

  - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)

  - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)

  - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)

  - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)

Versions of Mozilla Firefox earlier than version 23.0 are prone to the following vulnerabilities:

  - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)

  - A use-after-free vulnerability occurs when the Document Object Model is modified during a SetBody mutation event. (CVE-2013-1704)

  - A use-after-free vulnerability occurs when generating a Certificate Request Message Format (CRMF) request with certain parameters. (CVE-2013-1705)

  - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)

  - A denial-of-service vulnerability occurs when decoding of 'WAV' format audio files. (CVE-2013-1708)

  - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)

  - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)

  - A cross-site scripting vulnerability occurs by bypassing XrayWrappers from within the Chrome on unprivileged objects, using XBL Scopes. (CVE-2013-1711)

  - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)

  - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)

  - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)

  - A DLL hijacking vulnerability occurs that leads to arbitrary code execution. This issue affects the Firefox Full installer and Stub installer. (CVE-2013-1715)

  - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)

Versions of Mozilla SeaMonkey earlier than version 2.20 are prone to the following vulnerabilities:

  - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)

  - A use-after-free vulnerability occurs when the Document Object Model is modified during a SetBody mutation event. (CVE-2013-1704)

  - A use-after-free vulnerability occurs when generating a Certificate Request Message Format (CRMF) request with certain parameters. (CVE-2013-1705)

  - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)

  - A denial-of-service vulnerability occurs when decoding of 'WAV' format audio files. (CVE-2013-1708)

  - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)

  - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)

  - A cross-site scripting vulnerability occurs by bypassing XrayWrappers from within the Chrome on unprivileged objects, using XBL Scopes. (CVE-2013-1711)

  - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)

  - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)

  - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)

  - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)

Versions of Mozilla Firefox prior to version 17.0.8 are prone to the following vulnerabilities :

 - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)
 - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)
 - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)
 - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)
 - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)
 - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)
 - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)
 - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)

Versions of Mozilla Firefox earlier than version 23.0 are prone to the following vulnerabilities :

 - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)
 - A use-after-free vulnerability occurs when the Document Object Model is modified during a SetBody mutation event. (CVE-2013-1704)
 - A use-after-free vulnerability occurs when generating a Certificate Request Message Format (CRMF) request with certain parameters. (CVE-2013-1705)
 - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)
 - A denial-of-service vulnerability occurs when decoding of 'WAV' format audio files. (CVE-2013-1708)
 - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)
 - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)
 - A cross-site scripting vulnerability occurs by bypassing XrayWrappers from within the Chrome on unprivileged objects, using XBL Scopes. (CVE-2013-1711)
 - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)
 - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)
 - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)
 - A DLL hijacking vulnerability occurs that leads to arbitrary code execution. This issue affects the Firefox Full installer and Stub installer. (CVE-2013-1715)
 - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)

Versions of SeaMonkey earlier than version 2.20 are prone to the following vulnerabilities :

 - Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution. (CVE-2013-1701, CVE-2013-1702)
 - A use-after-free vulnerability occurs when the Document Object Model is modified during a SetBody mutation event. (CVE-2013-1704)
 - A use-after-free vulnerability occurs when generating a Certificate Request Message Format (CRMF) request with certain parameters. (CVE-2013-1705)
 - Multiple stack-based buffer overflow vulnerabilities occur in both the Maintenance Service and the Mozilla Updater when unexpectedly long paths were encountered. (CVE-2013-1706, CVE-2013-1707)
 - A denial-of-service vulnerability occurs when decoding of 'WAV' format audio files. (CVE-2013-1708)
 - A cross-site scripting vulnerability affects the application. An attacker can exploit this issue through an interaction of frames and browser history. (CVE-2013-1709)
 - A remote code execution and cross-site scripting vulnerability occurs when generating a Certificate Request Message Format (CRMF) request. (CVE-2013-1710)
 - A cross-site scripting vulnerability occurs by bypassing XrayWrappers from within the Chrome on unprivileged objects, using XBL Scopes. (CVE-2013-1711)
 - A privilege-escalation vulnerability occurs due to an error when using Mozilla Updater. An attacker can exploit this issue to load a specific malicious DLL file from the local system using the Mozilla Updater, and can able to execute the DLL in a privileged context through the Mozilla Maintenance Service's privileges. (CVE-2013-1712)
 - A same-origin security-bypass vulnerability exists because wrong principal is used for validating URI for some Javascript components. (CVE-2013-1713)
 - A same-origin security-bypass vulnerability occurs due to an error with web workers and XMLHttpRequest. (CVE-2013-1714)
 - An information-disclosure vulnerability occurs due to an unspecified error with Java applets. This issue leads to disclose contents of local file system when loaded using the a 'file:/// URI'. (CVE-2013-1717)
 - Stored cross-site scripting vulnerability due to insufficient input validation of 'data:' URLs in iframe elements. (CVE-2013-6674)

The installed version of Thunderbird ESR 17.x is earlier than 17.0.8 and is, therefore, potentially affected the following vulnerabilities:

  - Various errors exist that could allow memory corruption     conditions. (CVE-2013-1701)

  - Errors exist related to the update service and     'maintenanceservice.exe' that could allow buffer     overflows when handling unexpectedly long path values.
    (CVE-2013-1706, CVE-2013-1707)

  - Unspecified errors exist related to HTML frames and     history handling, JavaScript URI handling and web     workers using 'XMLHttpRequest' that could allow     cross-site scripting attacks. (CVE-2013-1709,     CVE-2013-1713, CVE-2013-1714)

  - An unspecified error exists related to generating     'Certificate Request Message Format' (CRMF) requests     that could allow cross-site scripting attacks.
    (CVE-2013-1710)

  - A DLL path loading error exists related to the update     service that could allow execution of arbitrary code.
    Note this issue affects Microsoft Windows versions 7     and greater. (CVE-2013-1712)

  - An error exists related to Java applets and 'file:///'     URIs that could allow read-only access to arbitrary     files. (CVE-2013-1717)

The installed version of Thunderbird is a version prior to 17.0.8 and is, therefore, potentially affected by the following vulnerabilities :

  - Various errors exist that could allow memory corruption     conditions. (CVE-2013-1701, CVE-2013-1702)

  - Use-after-free errors exist related to DOM modification     when using 'SetBody' and generating a 'Certificate     Request Message'. (CVE-2013-1704, CVE-2013-1705)

  - Errors exist related to the update service and     'maintenanceservice.exe' that could allow buffer     overflows when handling unexpectedly long path values.
    (CVE-2013-1706, CVE-2013-1707)

  - An error exists in the function 'nsCString::CharAt'     that could allow application crashes when decoding     specially crafted WAV audio files. (CVE-2013-1708)

  - Unspecified errors exist related to HTML frames and     history handling, 'XrayWrappers', JavaScript URI     handling and web workers using 'XMLHttpRequest' that     could allow cross-site scripting attacks.
    (CVE-2013-1709, CVE-2013-1711, CVE-2013-1713,     CVE-2013-1714)

  - An unspecified error exists related to generating     'Certificate Request Message Format' (CRMF) requests     that could allow cross-site scripting attacks.
    (CVE-2013-1710)

  - DLL path loading errors exist related to the update     service, full installer and the stub installer that     could allow execution of arbitrary code.
    (CVE-2013-1712, CVE-2013-1715)

  - An error exists related to Java applets and 'file:///'     URIs that could allow read-only access to arbitrary     files. (CVE-2013-1717)

The installed version of Firefox is earlier than 23.0 and is, therefore, potentially affected by the following vulnerabilities :

  - Various errors exist that could allow memory corruption     conditions. (CVE-2013-1701, CVE-2013-1702)

  - Use-after-free errors exist related to DOM modification     when using 'SetBody' and generating a 'Certificate     Request Message'. (CVE-2013-1704, CVE-2013-1705)

  - Errors exist related to the update service and     'maintenanceservice.exe' that could allow buffer     overflows when handling unexpectedly long path values.
    (CVE-2013-1706, CVE-2013-1707)

  - An error exists in the function 'nsCString::CharAt'     that could allow application crashes when decoding     specially crafted WAV audio files. (CVE-2013-1708)

  - Unspecified errors exist related to HTML frames and     history handling, 'XrayWrappers', JavaScript URI     handling and web workers using 'XMLHttpRequest' that     could allow cross-site scripting attacks.
    (CVE-2013-1709, CVE-2013-1711, CVE-2013-1713,     CVE-2013-1714)

  - An unspecified error exists related to generating     'Certificate Request Message Format' (CRMF) requests     that could allow cross-site scripting attacks.
    (CVE-2013-1710)

  - DLL path loading errors exist related to the update     service, full installer and the stub installer that     could allow execution of arbitrary code.
    (CVE-2013-1712, CVE-2013-1715)

  - An error exists related to Java applets and 'file:///'     URIs that could allow read-only access to arbitrary     files. (CVE-2013-1717)

The installed version of Firefox ESR 17.x is earlier than 17.0.8, and is, therefore, potentially affected by the following vulnerabilities :

  - Various errors exist that could allow memory corruption     conditions. (CVE-2013-1701)

  - Errors exist related to the update service and     'maintenanceservice.exe' that could allow buffer     overflows when handling unexpectedly long path values.
    (CVE-2013-1706, CVE-2013-1707)

  - Unspecified errors exist related to HTML frames and     history handling, JavaScript URI handling and web     workers using 'XMLHttpRequest' that could allow     cross-site scripting attacks. (CVE-2013-1709,     CVE-2013-1713, CVE-2013-1714)

  - An unspecified error exists related to generating     'Certificate Request Message Format' (CRMF) requests     that could allow cross-site scripting attacks.
    (CVE-2013-1710)

  - A DLL path loading error exists related to the update     service that could allow execution of arbitrary code.
    Note this issue affects Microsoft Windows versions 7     and greater. (CVE-2013-1712)

  - An error exists related to Java applets and 'file:///'     URIs that could allow read-only access to arbitrary     files. (CVE-2013-1717)

ID	Name	Product	Family	Severity
69344	SuSE 11.2 / 11.3 Security Update : Mozilla Firefox (SAT Patch Numbers 8187 / 8191)	Nessus	SuSE Local Security Checks	critical
69343	SuSE 11.2 / 11.3 Security Update : Mozilla Firefox (SAT Patch Numbers 8187 / 8191)	Nessus	SuSE Local Security Checks	critical
69278	FreeBSD : mozilla -- multiple vulnerabilities (0998e79d-0055-11e3-905b-0025905a4771)	Nessus	FreeBSD Local Security Checks	critical
801464	Mozilla Thunderbird < 17.0.8 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	medium
801463	Mozilla Firefox < 23.0 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	medium
801462	Mozilla SeaMonkey < 2.20 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	medium
6979	Mozilla Thunderbird < 17.0.8 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
6978	Mozilla Firefox < 23.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
6977	SeaMonkey < 2.20 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
69271	Mozilla Thunderbird ESR 17.x < 17.0.8 Multiple Vulnerabilities	Nessus	Windows	critical
69270	Mozilla Thunderbird < 17.0.8 Multiple Vulnerabilities	Nessus	Windows	critical
69269	Firefox < 23.0 Multiple Vulnerabilities	Nessus	Windows	critical
69268	Firefox ESR 17.x < 17.0.8 Multiple Vulnerabilities	Nessus	Windows	critical

Detections

Analytics

CVE-2013-1706

high

Tenable Plugins

critical

critical

critical

medium

medium

medium

high

high

high

critical

critical

critical

critical