Mozilla JAR Heap Overflow mail exploit v1.37 Vulnerability exploited: CAN-2002-1308 - BID-6185 Category: Exploits/Client Side By constructing a malformed JAR file containing invalid file length information, it is possible to cause heap corruption in a vulnerable browser. When a client browser attempts to decompress a malicious JAR file, invalid values will be used to allocate buffer space for the inflated data. As there are no checks to prevent this, an overrun condition in the heap may occur if excessive data is decompressed.This exploit sends a malicious HTML email to the victim's email address. The email contains IMG tags with references to some JAR files. After sending the email, the exploit launches a Web Server module from which the email will try to download the malicious JAR files and an Asynchronous Agent Connector to which the agents will try to connect. When the victim views the HTML email, and only if the used mail reader supports HTML mail, the victim's MUA (mozilla) will contact the Web Server for the JAR files. If this mozilla is vulnerable, a level0 agent will be deployed and will try to connect to the Asynchronous Agent Connector.Note: Mozilla is a threaded application. Sometimes a successful exploitation will result in the commit of an unstable level 0 agent, when a thread overwrites the level 0 stack. This happens about 40% of the time. Launching the attack again may result in a successful exploitation. Supported Systems: RedHat Linux 7.3 (i386) Mozilla 0.9.7 Mozilla 0.9.8 Mozilla 0.9.9 Mozilla 1.0rc1 Mozilla 1.0rc2 Mozilla 1.0.0 Mozilla 1.0.1 Mozilla 1.1a Mozilla 1.1b Mozilla 1.1 Mozilla 1.2a Mozilla 1.2b This module is included in the latest version of CORE IMPACT, the first automated comprehensive penetration testing product for accurately identifying information security risks. Click here to learn more about the product.