<<< Date Index >>>     <<< Thread Index >>>

CORE-2008-1211: Amaya web editor XML and HTML parser vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

Amaya web editor XML and HTML parser vulnerabilities



1. *Advisory Information*

Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33046, 33047
CVE Name: N/A


3. *Vulnerability Description*

Amaya is the W3C's Web editor/browser, a tool used to create and update
documents directly on the Web. Multiple stack buffer overflow
vulnerabilities have been discovered in Amaya, which can be exploited by
unauthorized people using crafted web pages to compromise a user's system.


4. *Vulnerable packages*

   . Amaya 11.0 and previous versions.


5. *Non-vulnerable packages*

   . Amaya 11.1.


6. *Vendor Information, Solutions and Workarounds*

Patched versions should be downloadable from Amaya's web site [1].


7. *Credits*

These vulnerabilities were discovered and researched by Dan Crowley and
Alfredo Ortega from Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

Multiple stack buffer overflow vulnerabilities have been discovered in
Amaya web editor/browser [1], which can be exploited by unauthorized
people using crafted web pages to compromise a user's system.

A boundary error when processing 'input' HTML tags can be exploited to
cause a stack-based buffer overflow via an overly long 'type' parameter
(Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals
multiple unchecked buffers declared on the stack, one of which is used
in the function 'EndOfXmlAttributeValue()':

/-----------

Xml2thot.c

3247    static void EndOfXmlAttributeValue (char *attrValue)
3248
3249    {
3250      AttributeType    attrType;
3251      int            attrKind, val;
3252      unsigned char    msgBuffer[MaxMsgLength];
3253

.
.
.
3265          if (val <= 0)
3266            {
3267              sprintf ((char *)msgBuffer,
3268                       "Unknown attribute value \"%s\"", (char
*)attrValue);
3269              XmlParseError (errorParsing, (unsigned char *)msgBuffer,
0);
3270        }


- -----------/



We can see here that the 'sprintf' function at line 3267 will write on
the buffer 'msgBuffer' if there is an error, but it will never check
that the error message fits the length of that buffer, so if the
attribute exceeds a length of about 170 characters, a buffer overflow
will ensue.

The following page consisting of a single HTML tag is enough to trigger
this vulnerability. This code will control the instruction pointer,
causing the Amaya web editor program to jump to the address '0x41414141':

/-----------

<input
type="aBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBAAAA">

- -----------/



Other stack-based buffer overflows were discovered.

When reading the HTML in function 'EndOfStartGI()', the length of the
variable 'theGI' is correctly limited to the buffer length.

/-----------

html2toth.c:

2506
/*----------------------------------------------------------------------
2507      EndOfStartGI    An HTML GI has been read in a start tag.
2508
- ----------------------------------------------------------------------*/
2509    static void     EndOfStartGI (char c)
2510    {
2511      char        theGI[MaxMsgLength];
.
.
.
2538          strncpy ((char *)theGI, (char *)inputBuffer, MaxMsgLength - 1);
2539          theGI[MaxMsgLength - 1] = EOS
.
.
.
2596            ProcessStartGI (theGI);

- -----------/

 But when calling 'ProcessStartGI()', an error message will add 50 extra
characters to this variable (line 2440), and a stack-based buffer
overflow will ensue (Bugtraq ID 33047):

/-----------

2321
/*----------------------------------------------------------------------
2322      ProcessStartGI  An HTML GI has been read in a start tag.
2323      Create the corresponding Thot thing (element, attribute,
2324      or character), according to the mapping table.
2325
- ----------------------------------------------------------------------*/
2326    static void ProcessStartGI (const char* GIname)
2327    {
2331      char                msgBuffer[MaxMsgLength];

.
.
.

2436              if (error)
2437                /* element not allowed in the current structural context */
2438                {
2439                  /* send an error message */
2440                  sprintf (msgBuffer,
2441                           "Tag <%s> is not allowed here (removed when
saving)",
2442                           GIname);
2443                  HTMLParseError (HTMLcontext.doc, msgBuffer, 0);


- -----------/

 This is not an exhaustive enumeration of the stack-based buffer
overflows that can be found in Amaya. Remarkably, in the unpatched
version, files 'html2thot.c' and 'xml2thot.c' contain many general
purpose buffers defined as

/-----------

char msgBuffer[MaxMsgLength]
- -----------/

 and the length of buffers is generally not checked in the functions
using them (i.e. 'strcpy', 'sprintf', etcetera).


9. *Report Timeline*

. 2008-12-18: Core notifies the vendor of the vulnerability.
. 2008-12-19: Vendor requests information about versions tested.
. 2008-12-19: Core notifies the vendor that the vulnerability was tested
on Amaya 11.0 and 10.0 (Windows XP).
. 2008-12-29: Core offers to send the advisory draft to the vendor and
offers to negotiate the publication date.
. 2009-01-08: Core sends the advisory draft to the vendor.
. 2009-01-09: Vendor informs that the bugs were fixed in the CVS version
and will be included in version 11.1 by the end of January.
. 2009-01-12: Core requests a more precise date.
. 2009-01-14: Vendor suggest to publish the advisory on January 28th at
the same time of release of Amaya 11.1.
. 2009-01-14: Core confirms the vendor that advisory CORE-2008-1211 will
be published on January 28th.
. 2009-01-28: Core publishes advisory CORE-2008-1211.


10. *References*

[1] Amaya Homepage http://www.w3.org/Amaya


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJgKLpyNibggitWa0RAmNOAKCT1Mxhe8VysinqBnwAtbuuhAaedgCeOWL6
DWuJPZIBvcK5lINLAJ2ylR8=
=X9Dw
-----END PGP SIGNATURE-----