Bug 160552 - Flash / JavaScript interference crash, possibly Remote Code Execution
Summary: Flash / JavaScript interference crash, possibly Remote Code Execution
Status: RESOLVED WORKSFORME
Alias: None
Product: konqueror
Classification: Applications
Component: general (show other bugs)
Version: unspecified
Platform: Ubuntu Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-08 08:57 UTC by Clemens Kolbitsch
Modified: 2009-09-14 10:00 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Clemens Kolbitsch 2008-04-08 08:57:47 UTC
Version:           Konqueror 3.5.8 (Using KDD 3.5.8) (using KDE 3.5.8)
Installed from:    Ubuntu Packages
OS:                Linux

When loading an HTML file containing flash and javascript (see attached below) and the default operation for flash is to show embedded, but ask beforehand to save file on disk, konqi crashes about 85% of the time.

On page load, the file is rendered but the question pops up asking whether to open or save the flash file. Regardless of hitting save, open, or cancel, the browser crashes.

At times, I have experienced the EIP jumping to arbitrary locations, so it might be possible to exploit this vulnerability!!!


GDB trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1235188032 (LWP 30215)]
0xb6ba9adf in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
(gdb) x/i $eip
0xb6ba9adf <_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+611>:
    mov    (%eax),%edx
(gdb) bt
#0  0xb6ba9adf in QApplication::internalNotify () from /usr/lib/libqt-mt.so.3
#1  0xb6bab91f in QApplication::notify () from /usr/lib/libqt-mt.so.3
#2  0xb7382cd2 in KApplication::notify () from /usr/lib/libkdecore.so.4
#3  0xb6b3c209 in QApplication::sendEvent () from /usr/lib/libqt-mt.so.3
#4  0xb6b9c53b in QEventLoop::activateTimers () from /usr/lib/libqt-mt.so.3
#5  0xb6b50d49 in QEventLoop::processEvents () from /usr/lib/libqt-mt.so.3
#6  0xb6bc41ce in QEventLoop::enterLoop () from /usr/lib/libqt-mt.so.3
#7  0xb6bc3fde in QEventLoop::exec () from /usr/lib/libqt-mt.so.3
#8  0xb6bab699 in QApplication::exec () from /usr/lib/libqt-mt.so.3
#9  0xb7edb594 in kdemain () from /usr/lib/libkdeinit_konqueror.so
#10 0x080484b2 in ?? ()
#11 0x00000002 in ?? ()
#12 0xbf9110f4 in ?? ()
#13 0xbf911068 in ?? ()
#14 0x080484e9 in ?? ()
#15 0xb7f39800 in ?? () from /lib/ld-linux.so.2
#16 0xbf911070 in ?? ()
#17 0xbf9110c8 in ?? ()
#18 0xb7bd7050 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
Backtrace stopped: frame did not save the PC



EXAMPLE file:
<html>
	<head>
		<style type="text/css">
			td.right { }
		</style>
	</head>
	<body class="nonexisting">
		<iframe id="framename" src="foo2.swf"></iframe>
		<link rel="stylesheet" type="text/css" href="nonexisting.css" />
		<script language="javascript" type="text/javascript">
			function mosDHTML() {
				this.foo = function(name) {
					document.getElementById(name).className = "foobar";
				}
				return this;
			}
			new mosDHTML().foo('framename');
		</script>
	</body>
</html>

for the flash file, it is sufficient to use perl:
$ perl -e "print 'A'x1000;" > foo2.swf
Comment 1 FiNeX 2008-04-11 23:55:25 UTC
Crash confirmed on 3.5.8
Comment 2 FiNeX 2009-09-14 10:00:14 UTC
This bug has been fixed on KDE 4.4 trunk.