TUCoPS :: Browsers :: bt-22015.htm

Opera 10.01 Remote Array Overrun (Arbitrary code execution)
Opera 10.01 Remote Array Overrun (Arbitrary code execution)
Opera 10.01 Remote Array Overrun (Arbitrary code execution)


-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]=0D
=0D
Author: Maksymilian Arciemowicz and sp3x=0D
http://SecurityReason.com=0D 
Date:=0D
- - Dis.: 07.05.2009=0D
- - Pub.: 20.11.2009=0D
=0D
CVE: CVE-2009-0689=0D
Risk: High=0D
Remote: Yes=0D
=0D
Affected Software:=0D
- - Opera 10.01=0D
- - Opera 10.10 Beta=0D
=0D
NOTE: Prior versions may also be affected.=0D
=0D
Original URL:=0D
http://securityreason.com/achievement_securityalert/73=0D 
=0D
=0D
- --- 0.Description ---=0D
Opera is a Web browser and Internet suite developed by the Opera Software company. The browser handles common Internet-related tasks such as displaying Web sites, sending and receiving e-mail messages, managing contacts, IRC online chatting, downloading files via BitTorrent, and reading Web feeds. Opera is offered free of charge for personal computers and mobile phones.=0D
=0D
=0D
- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---=0D
The main problem exist in dtoa implementation. Opera has a very similar dtoa algorithm to the BSD, Chrome and Mozilla products. It is the same issue like SREASONRES:20090625.=0D
=0D
http://securityreason.com/achievement_securityalert/63=0D 
=0D
but fix for SREASONRES:20090625, used by openbsd was not good. =0D
More information about fix for openbsd and similars SREASONRES:20091030, =0D
=0D
http://securityreason.com/achievement_securityalert/69=0D 
=0D
We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.=0D
=0D
=0D
- --- 2. Proof of Concept  (PoC) ---=0D
=0D
- -----------------------=0D
=0D
- -----------------------=0D
=0D
If we use Opera to see this PoC, Opera will crash. For example=0D
=0D
- -----------------------=0D
=0D
- -----------------------=0D
=0D
OPERA-CRASHLOG V1 desktop 10.01 1844 windows=0D
Opera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)=0D
=0D
Registers:=0D
EAX=01165C40   EBX=0592064C   ECX=A0D589D4   EDX=42000000   ESI=C20471EC=0D
EDI=00000000   EBP=0012E384   ESP=0012E2FC   EIP=67956906 FLAGS=00010202=0D
CS=001B   DS=0023   SS=0023   ES=0023   FS=003B   GS=0000=0D
FPU stack:=0D
C020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800=0D
3FC78000000000000000 10000000000100000000 0BBE0000000000040000=0D
00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F=0D
=0D
127# gdb -q opera opera.core=0D
...=0D
Program terminated with signal 11, Segmentation fault.=0D
#0  0x2960307b in ?? ()=0D
...=0D
(gdb) i r=0D
eax            0x71c71c71       1908874353=0D
ecx            0x2aa03be4       715144164=0D
edx            0x0      0=0D
ebx            0x296177f8       694253560=0D
esp            0xbfbfb650       0xbfbfb650=0D
ebp            0xbfbfb698       0xbfbfb698=0D
esi            0x2962d000       694341632=0D
edi            0x0      0=0D
eip            0x2960307b       0x2960307b=0D
...=0D
(gdb) x/100x ($esi)-90=0D
0x2962cfa6:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71=0D
0x2962cfb6:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c=0D
0x2962cfc6:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7=0D
0x2962cfd6:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71=0D
0x2962cfe6:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c=0D
0x2962cff6:     0xc71c71c7      0x71c71c71      Cannot access memory at address 0x2962cffe=0D
...=0D
=0D
=0D
- --- 3. SecurityReason Note ---=0D
=0D
Officialy SREASONRES:20090625 has been detected in:=0D
- - OpenBSD=0D
- - NetBSD=0D
- - FreeBSD=0D
- - MacOSX=0D
- - Google Chrome=0D
- - Mozilla Firefox=0D
- - Mozilla Seamonkey=0D
- - KDE (example: konqueror)=0D
- - Opera=0D
- - K-Meleon=0D
=0D
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory=0D
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")=0D 
was updated with note :=0D
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".=0D
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.=0D
=0D
=0D
- --- 4. Fix ---=0D
Opera fix:=0D
The vulnerability was fixed in the latest release candidate Opera RC3 : http://snapshot.opera.com/windows/Opera_1010_1890_in.exe=0D 
In shortly time we can expect the final verion of Opera with the fix. =0D
=0D
NetBSD fix (optimal):=0D
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h=0D 
=0D
OpenBSD fix:=0D
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c=0D 
=0D
=0D
- --- 5. Credits ---=0D
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.=0D
=0D
=0D
- --- 6. Greets ---=0D
Infospec p_e_a pi3=0D
=0D
=0D
- --- 7. Contact ---=0D
Email: =0D
- - cxib {a.t] securityreason [d0t} com=0D
- - sp3x {a.t] securityreason [d0t} com =0D
=0D
GPG: =0D
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg=0D 
- - http://securityreason.com/key/sp3x.gpg=0D 
=0D
http://securityreason.com/=0D 
http://securityreason.pl/=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
=0D
iEYEARECAAYFAksF2G8ACgkQpiCeOKaYa9YMzACgwvAI8oo1UP6GwlmGq3m+gkHm=0D
mVoAnArUxHXAPkrpEPOOLi4X99l5sAFh=0D
=VtH9=0D
-----END PGP SIGNATURE-----=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH