Array Index Error in libc Implementations Affecting Multiple Operating Systems and Software
CVE-2009-0689

Currently unrated

Key Information:

Vendor

FreeBSD

Status
FreeBSD
Firefox
Seamonkey
Netbsd
Vendor
CVE Published:
1 July 2009

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 42%

What is CVE-2009-0689?

The vulnerability in the libc implementations arises from an array index error in the dtoa functions found in both dtoa.c and gdtoa/misc.c files. This issue impacts various operating systems including FreeBSD, NetBSD, and OpenBSD, along with several software applications such as Mozilla Firefox, K-Meleon, and SeaMonkey. It allows context-dependent attackers to exploit the printf function by supplying a large precision value, potentially leading to a denial of service by causing an application crash. Additionally, this exploitation may enable arbitrary code execution through incorrect memory allocation and subsequent heap-based buffer overflow during the conversion to floating-point numbers.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

str2hax
Created by Fullmetal5

References

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gd...
x_refsource_CONFIRM
http://secunia.com/secunia_research/2009-35/
x_refsource_MISC
https://bugzilla.mozilla.org/show_bug.cgi?id=516862
x_refsource_CONFIRM

EPSS Score

42% chance of being exploited in the next 30 days.

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.