what you don't know can hurt you

Konqueror 4.7.3 Memory Corruption

Konqueror 4.7.3 Memory Corruption
Posted Oct 31, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

Konqueror version 4.7.3 suffers from a number of memory corruption vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2012-4512, CVE-2012-4513, CVE-2012-4514, CVE-2012-4515
SHA-256 | e553338547e8f9516a41ca14cb1fb5ac3c1728638db05b0a8e2505e5ba2cfb72

Konqueror 4.7.3 Memory Corruption

Change Mirror Download
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121010)
Date: 10th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Konqueror 4.7.3 <http://konqueror.kde.org/>
Vendor: KDE <http://www.kde.org/>
Risk: Medium


The Konqueror web browser is vulnerable to a number of memory corruption

This advisory comes in 4 related parts:

1) The Konqueror web browser is vulnerable to type confusion leading to memory
disclosure. The root cause of this is the same as CVE-2010-0046 reported by
Chris Rohlf which affected WebKit.

2) The Konqueror web browser is vulnerable to an out of bounds memory access
when accessing the canvas. In this case the vulnerability was identified whilst
playing with bug #43813 from Google's Chrome repository.

3) The Konqueror web browser is vulnerable to a NULL pointer dereference leading
to a crash.

4) The Konqueror web browser is vulnerable to a "use-after-free" class flaw when
the context menu is used whilst the document DOM is being changed from within

These flaws were identified during an analysis of previously reported
vulnerabilities that affected Google's Chrome web browser. It is believed that
only vulnerability 1 is/was common to the two code bases.

After discussions with the vendor, the following CVEs were assigned to these

1) CVE-2012-4512
2) CVE-2012-4513
3) CVE-2012-4514
4) CVE-2012-4515


Nth Dimension recommends that the vendor supplied patches should be applied:

1) a872c8a969a8bd3706253d6ba24088e4f07f3352
2) 1f8b1b034ccf1713a5d123a4c327290f86d17d53
3) 65464349951e0df9b5d80c2eb3cc7458d54923ae
4) 4f2eb356f1c23444fff2cfe0a7ae10efe303d6d8

Technical Details

1) Chris's blog post
(http://em386.blogspot.com/2010/12/webkit-css-type-confusion.html) nicely
describes this vulnerability.

It is worth noting that due to an overlap in bugs, our pre-advisory confused
CVE-2010-4577 and CVE-2010-0046. Red Hat's bug entry for CVE-2010-4577
references the local() CSS function, whilst their bug entry for CVE-2010-0046
references the format() function (on very similar code paths). In the case of
Konqueror, due to a slight reordering in calls, one patch (for CVE-2012-4512)
actually fixes both the format() and local() issue.

2) There was a sign-extension in calculating the dimensions of the canvas within
scaleLoop , which lead to a miscalculated jump. According to KDE, in the case of
64-bit systems this appeared only to allow a crash to be triggered however on
32-bit systems it could lead to memory disclosure.

The following PoC can trigger the crash on vulnerable versions of Konqueror:

<canvas id="tutorial"></canvas>
<script type="text/javascript">
var canvas = document.getElementById("tutorial");
if (canvas.getContext) {
var ctx = canvas.getContext("2d");
canvas.width = 111111;

It is worth noting that unlike vulnerability 2, the code here is not shared
between WebKit and Konqueror.

3) Unfortunely I no longer have the stack trace for this crash however it can be
triggered on vulnerable versions of Konqueror using the following PoC:

<iframe name="test" src="http://www.google.co.uk"></iframe>
<input type=button value="test"
onclick="window.open('javascript:alert(document.cookie)','test')" >

4) By accessing the context menu for a given iframe whilst the iframe is being
updated by the parent can lead to attempts to access no- onger existing objects.
This may lead to a crash, or potentially code execution, depending on the state
of the process at the point the no-longer existing object is accessed.

The following PoC can trigger the crash on vulnerable versions of Konqueror:

setInterval(function () {
document.body.innerHTML = "<iframe src=about:konqueror></iframe>";
}, 300);


On 27th July 2011, Nth Dimension contacted the KDE security team to report
vulnerability 1.

On 7th November 2011, Than Ngo of Red Hat re-reports the vulnerability 1 and
Maksim Orlovich from KDE responds confirming that they have received the report
and it had been escalated to Maksim Orlovich, a KDE developer working on KHTML
to determine the impact. A proposed patch is made available on 13th November

Nth Dimension continue to examine bugs in WebKit that have been reported to
Google and on 1st November 2011 report vulnerability 2. Maksim responds quickly
but only to confirm receipt. There are apparently issues in reproducing
vulnerability 2. Maksim further responds on the 6th confirming that he now has
it working and has identified the root cause.

On 2nd February 2012, Jeff Mitchell of the KDE security team requests details of
the patches in order to make the vulnerability details public. Maksim responds
that wires were crossed and he was waiting on KDE security team and Nth
Dimension. Patch details as above are then supplied,

On 16th February 2012, Nth Dimension report vulnerabilities 3 and 4. The KDE
security team propose rolling all 4 bugs into 1 advisory assuming that the final
2 vulnerabilities can quickly be triaged. Maksim responds on the 20th
confirming he has them reproduced and offering possible fixes.

Between February and October, Nth Dimension hear no further updates despite
chasing the KDE security team in June.

Nth Dimension proceed to post limited details to oss-security on 10th October

Following this, representatives from Red Hat and KDE liased with Nth Dimension
to resolve the oustanding issues. Further patches were supplied by David Faure
of KDE and tested by Jan Lieskovskyi and other members of the Red Hat security
team. On 26th October 2012 an embargo was agreed to allow Nth Dimension and Red
Hat further time to review the supplied patch for vulnerability 4. KDE will
commit the proposed patch allowing disclosure on, or shortly after 29th October


As of the 30th October 2012, the state of the vulnerabilities is believed to be
as follows. Patches have been applied to Konqueror which resolve all


Nth Dimension would like to thank Jeff Mitchell, Maksim Orlovich and David Faure
of KDE as well as Jan Lieskovskyi, Vincent Danen, Kurt Seifried of the Red Hat
security team for the way they worked to resolve the issues.
Version: GnuPG v1.4.12 (GNU/Linux)

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By