0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
K-Meleon 1.5.3 Remote Array Overrun
=================================== K-Meleon 1.5.3 Remote Array Overrun =================================== # Title: K-Meleon 1.5.3 Remote Array Overrun # CVE-ID: () # OSVDB-ID: () # Author: Maksymilian Arciemowicz and sp3x # Published: 2009-11-19 # Verified: yes view source print? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - - Dis.: 07.05.2009 - - Pub.: 20.11.2009 CVE: CVE-2009-0689 Risk: High Remote: Yes Affected Software: - - K-Meleon 1.5.3 NOTE: Prior versions may also be affected. - --- 0.Description --- K-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout engine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software released under the GNU General Public License and is designed specifically for Microsoft Windows (Win32) operating systems. - --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. K-Meleon has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. - --- 2. Proof of Concept (PoC) --- - ----------------------- <script> var a=0.<?php echo str_repeat("1",296450); ?>; </script> - ----------------------- K-Meleon will crash with Unhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access violation reading location 0x0bc576ec. 01800754 mov eax,dword ptr [ecx] EAX 00000002 ECX 0BC576EC EDI 028FEB51 - --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - - OpenBSD - - NetBSD - - FreeBSD - - MacOSX - - Google Chrome - - Mozilla Firefox - - Mozilla Seamonkey - - KDE (example: konqueror) - - Opera - - K-Meleon This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";) was updated with note : "The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products. Please note: Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and allows remote Denial of Service in Firefox 3.5.5 giving long float number. - --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c # 0day.today [2024-12-25] #