MoBB #28: Mozilla Navigator Object
The following bug (mfsa2006-45) was tested on Firefox 220.127.116.11 running on Windows 2000 SP4, Windows XP SP2, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 18.104.22.168 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems, execute "touch /tmp/METASPLOIT" on Linux systems, and bind a command shell to port 4444 for Mac OS X Intel and PowerPC systems (thanks Todd and nemo!).
window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);
This bug has been added to the OSVDB:
Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution