SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   K-Meleon Vendors:   kmeleon.sourceforge.net
K-Meleon Error in Processing Empty Javascript Functions Lets Remote Users Deny Service
SecurityTracker Alert ID:  1014372
SecurityTracker URL:  http://securitytracker.com/id/1014372
CVE Reference:   CVE-2005-2114   (Links to External Site)
Updated:  Jul 6 2008
Original Entry Date:  Jul 4 2005
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.9
Description:   Juha-Matti Laurio reported a vulnerability in K-Meleon. A remote user can cause the browser to crash.

A remote user can create specially crafted Javascript that, when loaded by the target user, will cause the target user's browser to crash. The code can repeatedly call an empty function to trigger the flaw.

A demonstration exploit is available at:

http://www.kurczaba.com/html/security/0506241_poc.htm

The vendor was notified on July 3, 2005.

This type of vulnerability was originally discovered by Paul Kurczaba, reported as affecting Mozilla products.

Impact:   A remote user can cause the target user's browser to crash.
Solution:   No solution was available at the time of this entry.

As a workaround, Javascript can be disabled.

Vendor URL:  kmeleon.sourceforge.net/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  New K-Meleon Browser JavaScript Function Denial of Service


- Description:
The newest K-Meleon Browser version 0.9 is confirmed as affected to new 
remote type JavaScript Function Denial of Service Vulnerability, aka 
Mozilla Multiple Product JavaScript Issue. Tests was done with 
Kurczaba.com PoC (Proof of Concept) test pages located at
http://www.kurczaba.com/html/security/0506241.htm  (Manual and Automatic).
This can be possibly exploited by constructing a malicious Web page. If 
an attacker has ways to persuade user to visit this Web site, this can 
be used to crash user's browser. After a crash effect browser will 
finally quit.
Some user interaction is needed to vulnerability take affect when 
discussing PoC issue#1.

- Result:
Issue #1: http://www.kurczaba.com/html/security/0506241_poc.htm
(Manual PoC)

Button "Go" was clicked.

Browser crashed with the following information-like dialog box:

"K-Meleon Web Browser
K-Meleon Web Browser has encountered a problem and needs to close. We 
are sorry for the inconvenience. For more information about this error, 
[click here].

[Close]"

Only 'Close' button was available. After clicking 'Close' button, 
K-Meleon Browser was quitted.


Issue #2: http://www.kurczaba.com/html/security/0506241_poc2.htm
(Automatic PoC)

Browser crashed without any visual effect and/or warning after a delay 
of few seconds. This delay was noticed after PoC page counter has 
reached the "..will crash in '1' seconds" state.
Additionally, CPU usage was at 100% level.

- Technical details:
Menu setting Edit / Preferences / General / Enhancements: Enable 
JavaScript was enabled (default setting).
DoS condition and browser crash was happened due to special JavaScript 
code used at PoC pages mentioned earlier.

>From the vendor:
"K-Meleon - The Browser You Control. K-Meleon is an extremely fast, 
customizable, lightweight web browser for the win32 (Windows) platform 
based on the Gecko layout engine (the rendering engine of Mozilla). 
K-Meleon is free, open source software released under the GNU General 
Public License. Powered by the same Gecko engine as the Firefox and 
Mozilla browsers, K-Meleon provides users with a secure browsing 
experience."

- Solution status:
No solution was available at the time of reporting.

- Software:
K-Meleon Browser 0.x
(free for downloading)

- Affected versions:
The vulnerability has been reported in version 0.9. Other versions may 
also be affected as well. The user agent string used was Mozilla/5.0 
(Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041220 
K-Meleon/0.9.

- Vendor:
K-Meleon Project

Vendor Home Page:
http://kmeleon.sourceforge.net/

Product Home Page:
http://kmeleon.sourceforge.net/

Project Home Page:
http://sourceforge.net/projects/kmeleon

OS: Microsoft Windows

CVE reference: N/A
However, CVE candidate describing other Gecko-based browsers is assigned 
as CAN-2005-2114;
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2114 .

- Solution:
Disable JavaScript support.

Instructions:
Disable selection from Edit / Preferences / General / Enhancements: 
Enable JavaScript or via
Tools / Privacy / 'Block' function.

It is possible to check manually that JavaScript support is disabled, 
e.g. JavaScript test page used by the researcher:
http://gemal.dk/browserspy/js.html

Results:
"Generic JavaScript support: Yes
JavaScript version 1.1 .. 2.0: Supported
External JavaScript support: Supported"

If this is not possible:
Do not browse untrusted web sites or click untrusted links in e-mail messages.


Vendor was contacted on 3rd July, 2005. Workaround and JavaScript level 
test results were included to the report.

This vulnerablity was earlier researched in the following Mozilla 
products; (Mozilla) Firefox, Mozilla (Suite) and Camino by Paul 
Kurczaba. I have confirnmed and reported this issue earlier in Netscape 
Browser 8.0.2.

References:
Kurczaba Associates Security Advisories > Mozilla Multiple Product 
JavaScript Issue [KA Advisory 0506241]
http://www.kurczaba.com/html/security/0506241.htm

>From the advisory:
"Vulnerability/Exploit:

By using a specially crafted JavaScript function, it is possible to 
crash the above named browsers. The script can be executed both with and 
without user intervention."

Timeline:
28-06-2005 - Vulnerability researched and confirmed
03-07-2005 - Vendor contacted
04-07-2005 - Detailed JavaScript support test and workaround instruction 
writing done
04-07-2005 - Security companies and several CERT units contacted


Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC