One bug to rule them all - IE, Firefox, Safari, Opera, Konqueror,Seamonkey, Wii, PS3, iPhone, iPod,

One bug to rule them all - IE, Firefox, Safari, Opera, Konqueror,
Seamonkey, Wii, PS3, iPhone, iPod, Nokia, Siemens.... and more.

Reference : [GSEC-TZO-26-2009] - One bug to rule them all
CVE : CVE-2009-1692 (created by Apple, this bug has same root cause)
Credit: Thierry Zoller

Affected products :
Internet Explorer 5, 6, 7, 8 (all versions)
Chrome (limited)
Opera
Seamonkey
Midbrowser
Netscape 6 & 8 (9 years ago)
Konqueror (all versions)
Apple iPhone + iPod
Apple Safari
Thunderbird
Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810
Internet Tablet
Aigo P8860 (Browser hangs and cannot be restarted)
Siemens phones
Google T-Mobile G1 TC4-RC30
Ubuntu (Operating system sometimes reboots, memory management failure)
possibly more devices and products that support Javascript,

Patch availability :
Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19
https://bugzilla.mozilla.org/show_bug.cgi?id=460713
Thunderbird (unknown)
IE : No fix for IE5,IE6,IE7,IE8 until IE9
Konqueror : unknown (did not respond)
Apple iPhone&iPod : patched
Nokia : unknown, opened a case but never came back
Aigo P8860 : unknown
Siemens : unknown
Chrome : unknown, but patch not really required (only tab is affected)
Webkit : fixed in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319
Opera : after version 9.64
Others ? Find out by visiting the POC at
http://crashthisthing.com/select.html

I. Background
Quoting Wikipedia "ECMAScript is a scripting language, standardized by
Ecma International in the ECMA-262 specification and ISO/IEC 16262. The
language is widely used on the web, especially in the form of its three
best-known dialects, JavaScript, ActionScript, and JScript."

II. Description
Calling the select() method with a large integer, results in continuous
allocation of x+n bytes of memory exhausting memory after a while.

The impact varies from null pointer dereference (no more memory,hence
crashing the browser) to the reboot of the complete Operation System
(Konqueror&Ubuntu).

There had never been a limit specified as to how many html elements the
select call should handle, after the report of this Bug, vendors
apparently agreed to a limit of 10.000 elements : "Talked to some Apple
and Opera guys at the WHATWG social, and we decided this was a good number"

III. Impact
The impact varies from browser to browser and sometimes from OS to OS

Konqueror (Ubuntu)- allocates 2GB of memory then either crashes the
Browser or (most often) the OS reboots. Ubuntu's memory management
system is configured as to NOT stop the process that consumes too much
memory, but a random process. This sometimes leads to processes that are
vital for the OS to be killed, hence the reboot. I am not kidding.
Thanks to 'FX' for the memory management hint.

Chrome : allocates 2GB of memory then crashes tab with a null pointer

Firefox : allocates 2GB of memory then the Browser crashes

IE5,6,7,8 : allocates 2GB of memory then the Browser crashes

Opera : Allocated and commits as much memory as available, will not
crash but other applications will become unstable
Nintento WII (Opera) : Console hangs, needs hard reset
Video:

Sony PS3 - Console hangs, needs hard reset
Video:

iPhone - iPhone hangs and needs hard reset
Video:

Aigo P8860 (Browser hangs and cannot be restarted)

V. Disclosure timeline
Nothing particular to note.

http://www.g-sec.lu/one-bug-to-rule-them-all.html

IV? POC

Thanks to SBS Diva and MS MVP Susan Bradley for the above.
Published Wed, Jul 15 2009 20:45 by donna

http://msmvps.com/blogs/donna/default.aspx

 

That's an impressive coverage of newsgroups across servers that you
managed to post to in a short period of time!

Alan.