Mozilla Firefox OnUnload Memory Corruption Vulnerability

BID:22679

Info

Mozilla Firefox OnUnload Memory Corruption Vulnerability

Bugtraq ID: 22679
Class: Design Error
CVE: CVE-2007-1092
Remote: Yes
Local: No
Published: Feb 23 2007 12:00AM
Updated: Mar 19 2015 08:10AM
Credit: Michal Zalewski and Jakob Balle appear to have discovered this vunerability in tandem, independent of one another.
Vulnerable: Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 6.10 sparc
Ubuntu Ubuntu Linux 6.10 powerpc
Ubuntu Ubuntu Linux 6.10 i386
Ubuntu Ubuntu Linux 6.10 amd64
Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 10.0.0 x64
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
SuSE SUSE Linux Enterprise Server 9
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Slackware Linux 10.2
Slackware Linux 11.0
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. openSUSE 10.2
S.u.S.E. Open-Enterprise-Server 0
S.u.S.E. Novell Linux POS 9
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux 9.3 x86
S.u.S.E. Linux 10.1 x86
S.u.S.E. Linux 10.0 x86
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mozilla Firefox 2.0 .1
Mozilla Firefox 1.5.0.9
Mozilla Camino 1.0.3
Mozilla Camino 1.0.2
Mozilla Camino 1.0.1
Mozilla Camino 0.8.4
Mozilla Camino 0.8.3
Mozilla Camino 0.8
Mozilla Camino 0.7 .0
Mozilla Camino 1.5
Mozilla Camino 1.0
Mandriva Linux Mandrake 2007.0 x86_64
Mandriva Linux Mandrake 2007.0
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 4.0
HP HP-UX B.11.23
HP HP-UX B.11.11
Not Vulnerable: Mozilla SeaMonkey 1.0.8
Mozilla Firefox 2.0.0.2
Mozilla Firefox 1.5.0.10
Mozilla Camino 1.5.1

Discussion

Mozilla Firefox OnUnload Memory Corruption Vulnerability

Mozilla Firefox is prone to a remote memory-corruption vulnerability.

Successfully exploiting this issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. This could facilitate the remote compromise of affected computers.

Mozilla Firefox version 2.0.0.1 is vulnerable to this issue; other versions are also likely affected.

Exploit / POC

Mozilla Firefox OnUnload Memory Corruption Vulnerability

The following proof of concept is available:

http://lcamtuf.coredump.cx/ietrap/testme.html

Solution / Fix

Mozilla Firefox OnUnload Memory Corruption Vulnerability

Solution:
The vendor has addressed this issue in version 2.0.0.2.


Mozilla Camino 1.0

Mozilla Camino 1.5

Mozilla Firefox 1.5.0.9

Mozilla Camino 0.7 .0

Mozilla Camino 0.8

Mozilla Camino 0.8.3

Mozilla Camino 0.8.4

Mozilla Camino 1.0.1

Mozilla Camino 1.0.2

Mozilla Camino 1.0.3

Mozilla Firefox 2.0 .1

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report