(see video link at the bottom ;>) * Name : FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak * : FireFox 2.0.0.11 Remote Denial of Service * Type : Remote Information Disclosure * Impact : Medium / High * Credits: Gynvael Coldwind / Hispasec / Team Vexillium * Special thanks to udevd and porneL * Brief Opera and FireFox contains vulnerable code for handling BMP files with partial palette. The code allows to craft a BMP file that leaks information from the heap. This information can be sent to remote server using canvas tag (HTML 5) and javascript. Also other browser (for example Apple Safari) contain vulnerable BMP handling code, but since there is no way of acquiring the image data (due to not all canvas method being implemented), it doesn't pose a serious threat (hmm... then again, maybe the attacker could convince the user to do a screenshot and send it to the attacker :) As a matter of fact Apple Safari has a simillar problem with certain GIF files. * Verbose The BMP format has a field in the BITMAPINFOHEADER named biClrUsed, the field says how many colors does the palette contain. If this field is 0, then 256 color palette is used. When this field is not 0, the palette has the given number of colors. Both browsers either allocate to just the "right" amount of memory (using the equation biClrUsed * sizeof(RGB)), or forget to zero the allocated palette. In this case, if a color from the upper (non existing or not zeroed) part of the palette is used, soem information is copied to the screen as a colorful pixel. If the attacker creates a BMP file with biClrUser = 0, and fills it with gradient, from 0 to 255: 00 01 02 03 04 05 ... and so on, the displayed BMP will in fact copy the palette to the screen, which of course means that it copies the data lying on the heap to the screen. The attacker could also use HTML 5 tag canvas to aquire pixel color information from the bitmap, and then use javascript to post it to a remote server. The harvested data contains various information including parts of other websites, users "favorites" and history, and other information. This has been tested, a proof of concept exploit has been created, but will not yet be released. * Versions affected and vendor status FireFox 2.0.0.11 and prior that support canvas.getImageData or any other method to aquire image data are affected. The vendor was informed and has released a non vulnerable version of the application - 2.0.0.12. Opera 9.24 is not affected due to not supporting canvas.getImageData. The newer beta versions are affected (9.50 beta). The vendor was informed and has released a non vulnerable version of the application - 9.25. Other vendors were also informed. * Additional info FireFox 2.0.0.11 may crash when using this vulnerability due to heap boundary error (read access violation). So it is possible to remotly crash the browser. * Video demonstration A video demonstration of the vulnerability can be found on the following sites: http://blog.hispasec.com/lab/ http://vexillium.org/?sec-ff * Disclaimer This document and all the information it contains is provided "as is", without any warranty. The author is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -- gynvael.coldwind//vx Hispasec