AOH :: HP Unsorted K :: BT-22016.HTM

KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)



KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)
KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution)



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]=0D
=0D
Author: Maksymilian Arciemowicz and sp3x=0D
http://SecurityReason.com=0D 
Date:=0D
- - Dis.: 07.05.2009=0D
- - Pub.: 20.11.2009=0D
=0D
CVE: CVE-2009-0689=0D
Risk: High=0D
Remote: Yes=0D
=0D
Affected Software:=0D
- - KDELibs 4.3.3=0D
=0D
NOTE: Prior versions may also be affected.=0D
=0D
Original URL:=0D
http://securityreason.com/achievement_securityalert/74=0D 
=0D
=0D
- --- 0.Description ---=0D
KDELibs is a collection of libraries built on top of Qt that provides=0D
frameworks and functionality for developers of KDE-compatible software.=0D
The KDELibs libraries are licensed under LGPL.=0D
=0D
=0D
- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code execution) ---=0D
The main problem exist in dtoa implementation. KDE has a very similar=0D
dtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist=0D
in dtoa.cpp file =0D
=0D
http://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup=0D 
=0D
and it is the same like SREASONRES:20090625.=0D
=0D
http://securityreason.com/achievement_securityalert/63=0D 
=0D
but fix for SREASONRES:20090625, used by openbsd was not good. =0D
More information about fix for openbsd and similars SREASONRES:20091030, =0D
=0D
http://securityreason.com/achievement_securityalert/69=0D 
=0D
We can create any number of float, which will overwrite the memory. In=0D
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and=0D
it is possible to call 16<= elements of freelist array.=0D
=0D
=0D
- --- 2. Proof of Concept  (PoC) ---=0D
=0D
- -----------------------=0D
=0D
- -----------------------=0D
=0D
If we use konqueror to see this PoC, konqueror will crash. For example=0D
=0D
- -----------------------=0D
=0D
- -----------------------=0D
=0D
Program received signal SIGSEGV, Segmentation fault.=0D
[Switching to process 24845, thread 0x7e6e6800]=0D
0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0=0D
=0D
0x06db85c3 :  mov    %esi,(%ecx)=0D
=0D
#0  0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0=0D
#1  0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0=0D
#2  0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0=0D
#3  0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0=0D
#4  0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0=0D
#5  0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0=0D
#6  0x0908337f in KJS::InterpreterImp::evaluate ()=0D
=0D
(gdb) i r=0D
eax            0x0      0=0D
ecx            0x220ff000       571469824=0D
edx            0x0      0=0D
ebx            0x220fbb00       571456256=0D
esp            0xcfbc04e0       0xcfbc04e0=0D
ebp            0xcfbc0518       0xcfbc0518=0D
esi            0xc71c71c7       -954437177=0D
edi            0x0      0=0D
eip            0x21415c3        0x21415c3=0D
=0D
esi=0x71c71c7=0D
=0D
=0D
- --- 3. SecurityReason Note ---=0D
=0D
Officialy SREASONRES:20090625 has been detected in:=0D
- - OpenBSD=0D
- - NetBSD=0D
- - FreeBSD=0D
- - MacOSX=0D
- - Google Chrome=0D
- - Mozilla Firefox=0D
- - Mozilla Seamonkey=0D
- - KDE (example: konqueror)=0D
- - Opera=0D
- - K-Meleon=0D
=0D
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory=0D
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")=0D 
was updated with note :=0D
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".=0D
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.=0D
=0D
=0D
- --- 4. Fix ---=0D
NetBSD fix (optimal):=0D
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h=0D 
=0D
OpenBSD fix:=0D
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c=0D 
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c=0D 
=0D
=0D
- --- 5. Credits ---=0D
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.=0D
=0D
=0D
- --- 6. Greets ---=0D
Infospec p_e_a pi3=0D
=0D
=0D
- --- 7. Contact ---=0D
Email: =0D
- - cxib {a.t] securityreason [d0t} com=0D
- - sp3x {a.t] securityreason [d0t} com =0D
=0D
GPG: =0D
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg=0D 
- - http://securityreason.com/key/sp3x.gpg=0D 
=0D
http://securityreason.com/=0D 
http://securityreason.pl/=0D 
=0D
-----BEGIN PGP SIGNATURE-----=0D
=0D
iEYEARECAAYFAksF2HsACgkQpiCeOKaYa9abFgCeOj6IX5FzaAq60qQ3TUPGUiU6=0D
KJkAoJiZ0eZtGXR0GvwfPT4y5A4yKFqw=0D
=hMGC=0D
-----END PGP SIGNATURE-----=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.