AOH :: HP Unsorted S :: BT-22020.HTM

SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)
SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution)

Hash: SHA1

[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- - SeaMonkey 1.1.18

Fixed in:
- - SeaMonkey 2.0

NOTE: Prior versions may also be affected.

Original URL:

- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application suite (see below). Such a software suite was previously made popular by Netscape and Mozilla, and the SeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing an Internet browser, email & newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools, SeaMonkey is sure to appeal to advanced users, web developers and corporate users.

- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. SeaMonkey has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix

has been used to patch SeaMonkey 2.0.

This flaw has been detected in may 2009 and signed SREASONRES:20090625.

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.

- --- 2. Proof of Concept  (PoC) ---

- -----------------------

- -----------------------

If we use SeaMonkey to  see this PoC, SeaMonkey will crash. For example

- -----------------------

- -----------------------

127# gdb seamonkey-bin seamonkey-bin.core
#0  0x28df0ecb in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x2      2
edx            0xbfbfd2fc       -1077947652
ebx            0x28da9b6c       685415276
esp            0xbfbfd2ac       0xbfbfd2ac
ebp            0xbfbfd2c8       0xbfbfd2c8
esi            0xb      11
edi            0xb      11
eip            0x28df0ecb       0x28df0ecb

esi = esi = 11

- --- 3. SecurityReason Note ---

Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon

This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
This fact ( new CVE number for Firefox Vulnerability )and PoC in javascript (from Secunia), forced us to official notification all other vendors. We publish all the individual advisories, to formally show all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this issue in all products.

Please note:
Patch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and allows remote Denial of Service in Firefox 3.5.5 giving long float number.

- --- 4. Fix ---
NetBSD fix (optimal):

OpenBSD fix:

- --- 5. Credits ---
Discovered by Maksymilian Arciemowicz and sp3x from

- --- 6. Greets ---
Infospec p_e_a pi3

- --- 7. Contact ---
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com

- -
- -


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to