The Recurity Lablog

Every serious business office on earth needs a FAX machine. Why I have to have a special hardware that's nothing else than a 14400 baud modem, scanner, printer, ISDN and TIFF conversion software in one box still escapes me. However, FAX machines definitively crash not as often as servers, especially FAX servers.

Since Recurity Labs is a small company, we have a small FAX machine. It is one of those that work with thermo paper on a roll, a so-called thermo transfer ribbon. And since Recurity Labs has some significant dealings with layers lately, and lawyers love FAX, our FAX machine complained that the ribbon was used up. So we got a new one.

Being a good German and always caring about waste separation, I wondered about what to do with the old ribbon when I took it out. The regular lists of things to separate don't contain thermo transfer ribbons, so I inspected the foil to see if it would potentially qualify as plastic. To my mild surprise, I found negative copies of all the papers that were faxed to us during the time of use. The quality of what's left on the ribbon after the thermo transfer is impressive, very high definition, almost like film.

Now I wonder how many secretaries, legal departments, accounting departments and everyone else with the need for a separate desktop FAX machine (confidentiality, you know) discard used ribbons, either environmentally correctly or not, without a second thought about the content. We decided to just keep them around in a safe place and call them backups.

or why you don't need a fuzzer when you got web developers.

This is just one of these security related stories that are so funny, they must be shared. While working on site at a customer, the person maintaining the inline Snort IPS mentioned that he had to disable a rule due to complains from people. Apparently, the rule was preventing the CNN.com website to work correctly. For eye candy, here is the rule:

(msg:"WEB-CLIENT PCRE character class double free overflow attempt";
flow:to_client,established; content:"RegExp"; nocase; content:"[[";
content:"]"; distance:1;
pcre:"/(\w+)\s*=\s*('|")[^\2]*\[\[[^\2]*\][^\2]*\2\s*\;.*new\s+RegExp\s*\(\s*\1|new\s+RegExp\(('|")[^\3]*\[\[[^\3]*\]/smi";
reference:bugtraq,25002; reference:cve,2007-3944;
reference:url,docs.info.apple.com/article.html?artnum=306174;
classtype:attempted-user; sid:12286; rev:1;)

Since time and resources are precious, the rule got disabled and everyone was happy. I have to admit that I didn't really think anything of it, except that the rule might be somehow too broadly matching and therefore would eat legitimate JavaScript code. That is, until I surfed Fefe's blog a few days ago using my Nokia E70 phone and clicked on a link to CNN.com. After my phone tried to load the page for a while, the browser crashed. I remembered the episode with the Snort rule and also suddenly realized that my phone's browser is actually using the Apple WebKit, as does Safari.

I read up on the specific vulnerability ( http://www.securityevaluators.com/iphone/bh07.pdf) and went back to the CNN.com website, only to find that the included file main.js contains:

var htmlRegEx = new RegExp('[\w*|\W*]*<[[\w*|\W*]*|/[\w*|\W*]]>[ \w*|\W*]*');

This looks suspiciously like what is described on Charles Miller's slides mentioned above, namely: "A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error "Failed: internal error: code overflow" or in some cases to crash with a glibc free() error."

Although I didn't verify to all ends that this is what is crashing by phone's browser, I assume it is.

Dear Nokia, if I had wanted a vulnerable, DRM infested future malware platform in my pocket, I had bought an f***ing iPhone in the first place!

Thanks to K.S. for pointing out the Snort rule issue to me!

Update: People report that the iPhone works fine (now?) with CNN.com and I tested the iPod Touch myself (thanks iUte). So where is the Nokia update and security advisory?