-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #11 | Apr 12th, 2006 | --------------------------------------------------- | Vendor | W3C's Amaya | | URL | http://www.w3.org/Amaya/ | | Version | <= 9.4 | | Risk | Critical (Remote Code Execution) | --------------------------------------------------- o Description: ============= The current releases, Amaya 9.5, is available for Linux, Windows and now MacOS X (see screenshot). It supports HTML 4.01, XHTML 1.0, XHTML Basic, XHTML 1.1, HTTP 1.1, MathML 2.0, many CSS 2 features, and includes SVG support (transformation, transparency, and SMIL animation). See the "Amaya Overview" page [1] for more details. o Stack overflow: ================ The following code snippet forces Amaya 9.4 to crash: eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000 edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0 cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 00516114 56 push esi 00516115 57 push edi 00516116 33ff xor edi,edi 00516118 33f6 xor esi,esi 0051611a 3bcf cmp ecx,edi 0051611c 893d943df101 mov [amaya+0x1b13d94 (01f13d94)],edi 00516122 7511 jnz amaya+0x116135 (00516135) 00516124 6a0a push 0xa 00516126 e825d80500 call amaya+0x173950 (00573950) 0051612b 83c404 add esp,0x4 0051612e 8bd7 mov edx,edi 00516130 8bc6 mov eax,esi 00516132 5f pop edi 00516133 5e pop esi 00516134 c3 ret FAULT ->00516135 8b4134 mov eax,[ecx+0x34] ds:0023:41414175=???????? 00516138 3bc7 cmp eax,edi 0051613a 74f2 jz amaya+0x11612e (0051612e) 0051613c 8b4938 mov ecx,[ecx+0x38] 0051613f 5f pop edi 00516140 8bd1 mov edx,ecx 00516142 5e pop esi 00516143 c3 ret Nopslide.. are able to control the EIP: > eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a > edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 > > Funktion: > No prior disassembly possible > 42424242 ?? ??? > 42424244 ?? ??? > 42424246 ?? ??? > 42424248 ?? ??? > 4242424a ?? ??? > 4242424c ?? ??? Online-demo: http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html In fact, sucessful exploitation of this vulnerability is not that easy because non-text characters were modfified during parsing therefore you have to find a place where to place the shellcode. Naturally you have to avoid null bytes too because Amaya would stop parsing the attribute value and the overflow would not get triggered. o Disclosure Timeline: ===================== 21 Dec 05 - Vulnerability discovered. 21 Feb 06 - Vendor contacted. 23 Feb 06 - Vendor confirmed vulnerability. 08 Mar 06 - Vendor fixed vulnerability. 12 Apr 06 - Public release. o Solution: ========== Upgrade to the latest version of Amaya. [2] o Credits: ========= Thomas Waldegger BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that some mails get ignored. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20060412-amaya-94-2.txt [1] http://www.w3.org/Amaya/Amaya.html [2] http://www.w3.org/Amaya/User/BinDist.html -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFEPYDPkCo6/ctnOpYRA+b0AJ0S4sWE2UE0WjMrFBeRKwmWWd9oIwCfSWdX MW1HldAZyLYolnZ8k/jA/Vw= =PeiV -----END PGP SIGNATURE-----