Amaya web editor XML and HTML parser vulnerabilities


Amaya web editor XML and HTML parser vulnerabilities

1.
Advisory Information

Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release

2.
Vulnerability Information

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33046, 33047
CVE Name: href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0323" target="_blank">CVE-2009-0323

3.
Vulnerability Description

Amaya is the W3C's Web editor/browser, a tool used to create and update documents directly on the Web.
Multiple stack buffer overflow vulnerabilities have been discovered in Amaya, which can be
exploited by unauthorized people using crafted web pages to compromise a user's system.

4.
Vulnerable packages

  • Amaya 11.0 and previous versions.

5.
Non-vulnerable packages

  • Amaya 11.1.

6.
Vendor Information, Solutions and Workarounds

Patched versions should be downloadable from Amaya's web site
[1]
.

7.
Credits

These vulnerabilities were discovered and researched by Dan Crowley and Alfredo Ortega
from Core Security Technologies.

8.
Technical Description / Proof of Concept Code

Multiple stack buffer overflow vulnerabilities have been discovered in Amaya web editor/browser
[1]
, which can be
exploited by unauthorized people using crafted web pages to compromise a user's system.

A boundary error when processing input HTML tags can be exploited to cause a
stack-based buffer overflow via an overly long type parameter (Bugtraq ID 33046).
Code analysis of the Amaya XHTML parser reveals multiple unchecked buffers declared on the stack, one of which
is used in the function EndOfXmlAttributeValue():

Xml2thot.c

3247	static void EndOfXmlAttributeValue (char *attrValue)
3248	
3249	{
3250	  AttributeType    attrType;
3251	  int            attrKind, val;
3252	  unsigned char    msgBuffer[MaxMsgLength];
3253

.
.
.
3265	      if (val <= 0)
3266	        {
3267	          sprintf ((char *)msgBuffer, 
3268	                   "Unknown attribute value \"%s\"", (char *)attrValue);
3269	          XmlParseError (errorParsing, (unsigned char *)msgBuffer, 0);   
3270        }


We can see here that the sprintf function at line 3267 will write on the
buffer msgBuffer if there is an error, but it will never
check that the error message fits the length of that buffer, so if the attribute
exceeds a length of about 170 characters, a buffer overflow will ensue.

The following page consisting of a single HTML tag is enough to trigger this vulnerability.
This code will control the instruction pointer, causing the Amaya web editor program to jump to
the address 0x41414141:

<input type="aBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBAAAA">


Other stack-based buffer overflows were discovered.

When reading the HTML in function EndOfStartGI(),
the length of the variable theGI is correctly limited to the buffer length.

html2toth.c:

2506	      /*----------------------------------------------------------------------
2507	  EndOfStartGI    An HTML GI has been read in a start tag.
2508	  ----------------------------------------------------------------------*/
2509	static void     EndOfStartGI (char c)
2510	{
2511	  char        theGI[MaxMsgLength];
.
.
.
2538	      strncpy ((char *)theGI, (char *)inputBuffer, MaxMsgLength - 1);
2539	      theGI[MaxMsgLength - 1] = EOS
.
.
.
2596	        ProcessStartGI (theGI);

But when calling ProcessStartGI(), an error message will add 50 extra
characters to this variable (line 2440), and a stack-based buffer overflow will ensue (Bugtraq ID 33047):

2321	/*----------------------------------------------------------------------
2322	  ProcessStartGI  An HTML GI has been read in a start tag.
2323	  Create the corresponding Thot thing (element, attribute,
2324	  or character), according to the mapping table.
2325	  ----------------------------------------------------------------------*/
2326	static void ProcessStartGI (const char* GIname)
2327	{
2331	  char                msgBuffer[MaxMsgLength];

.
.
.

2436	          if (error)
2437	            /* element not allowed in the current structural context */
2438	            {
2439	              /* send an error message */
2440	              sprintf (msgBuffer,
2441	                       "Tag <%s> is not allowed here (removed when saving)",
2442	                       GIname);
2443	              HTMLParseError (HTMLcontext.doc, msgBuffer, 0);

This is not an exhaustive enumeration of the stack-based buffer overflows
that can be found in Amaya.
Remarkably, in the unpatched version, files html2thot.c and xml2thot.c
contain many general purpose buffers defined as

char msgBuffer[MaxMsgLength]

and the length of buffers is generally not checked in the functions using them (i.e. strcpy,
sprintf,
etcetera).

9.
Report Timeline

  • 2008-12-18:
    Core notifies the vendor of the vulnerability.
  • 2008-12-19:
    Vendor requests information about versions tested.
  • 2008-12-19:
    Core notifies the vendor that the vulnerability was tested on Amaya 11.0 and 10.0 (Windows XP).
  • 2008-12-29:
    Core offers to send the advisory draft to the vendor and offers to negotiate the publication date.
  • 2009-01-08:
    Core sends the advisory draft to the vendor.
  • 2009-01-09:
    Vendor informs that the bugs were fixed in the CVS version and will be included in version 11.1 by the end of January.
  • 2009-01-12:
    Core requests a more precise date.
  • 2009-01-14:
    Vendor suggest to publish the advisory on January 28th at the same time of release of Amaya 11.1.
  • 2009-01-14:
    Core confirms the vendor that advisory CORE-2008-1211 will be published on January 28th.
  • 2009-01-28:
    Core publishes advisory CORE-2008-1211.

10.
References


[1]
Amaya Homepage http://www.w3.org/Amaya

11.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://www.coresecurity.com/corelabs.

12.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious
organizations worldwide develop and maintain a proactive process for
securing their networks. The company's flagship product, CORE IMPACT, is
the most comprehensive product for performing enterprise security
assurance testing. CORE IMPACT evaluates network, endpoint and end-user
vulnerabilities and identifies what resources are exposed. It enables
organizations to determine if current security investments are detecting
and preventing attacks. Core Security Technologies augments its leading technology solution
with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos
Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web
at http://www.coresecurity.com.

13.
Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and
(c) 2009 CoreLabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.

14.
PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories
team, which is available for download at
/legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Book Demo

Research Blog