Amaya web editor XML and HTML parser vulnerabilities

Advisory ID Internal
CORE-2008-1211

1. Advisory Information

Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33046, 33047
CVE Name: CVE-2009-0323

3. Vulnerability Description

Amaya is the W3C's Web editor/browser, a tool used to create and update documents directly on the Web. Multiple stack buffer overflow vulnerabilities have been discovered in Amaya, which can be exploited by unauthorized people using crafted web pages to compromise a user's system.

4. Vulnerable packages

  • Amaya 11.0 and previous versions.

5. Non-vulnerable packages

  • Amaya 11.1.

6. Vendor Information, Solutions and Workarounds

Patched versions should be downloadable from Amaya's web site [1].

7. Credits

These vulnerabilities were discovered and researched by Dan Crowley and Alfredo Ortega from Core Security Technologies.

8. Technical Description / Proof of Concept Code

Multiple stack buffer overflow vulnerabilities have been discovered in Amaya web editor/browser [1], which can be exploited by unauthorized people using crafted web pages to compromise a user's system.

A boundary error when processing input HTML tags can be exploited to cause a stack-based buffer overflow via an overly long type parameter (Bugtraq ID 33046). Code analysis of the Amaya XHTML parser reveals multiple unchecked buffers declared on the stack, one of which is used in the function EndOfXmlAttributeValue():

Xml2thot.c 3247 static void EndOfXmlAttributeValue (char *attrValue) 3248 3249 { 3250 AttributeType attrType; 3251 int attrKind, val; 3252 unsigned char msgBuffer[MaxMsgLength]; 3253 . . . 3265 if (val <= 0) 3266 { 3267 sprintf ((char *)msgBuffer, 3268 "Unknown attribute value \"%s\"", (char *)attrValue); 3269 XmlParseError (errorParsing, (unsigned char *)msgBuffer, 0); 3270 }


We can see here that the sprintf function at line 3267 will write on the buffer msgBuffer if there is an error, but it will never check that the error message fits the length of that buffer, so if the attribute exceeds a length of about 170 characters, a buffer overflow will ensue.

The following page consisting of a single HTML tag is enough to trigger this vulnerability. This code will control the instruction pointer, causing the Amaya web editor program to jump to the address 0x41414141:

<input type="aBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBCDaBAAAA">


Other stack-based buffer overflows were discovered.

When reading the HTML in function EndOfStartGI(), the length of the variable theGI is correctly limited to the buffer length.

html2toth.c: 2506 /*---------------------------------------------------------------------- 2507 EndOfStartGI An HTML GI has been read in a start tag. 2508 ----------------------------------------------------------------------*/ 2509 static void EndOfStartGI (char c) 2510 { 2511 char theGI[MaxMsgLength]; . . . 2538 strncpy ((char *)theGI, (char *)inputBuffer, MaxMsgLength - 1); 2539 theGI[MaxMsgLength - 1] = EOS . . . 2596 ProcessStartGI (theGI);

But when calling ProcessStartGI(), an error message will add 50 extra characters to this variable (line 2440), and a stack-based buffer overflow will ensue (Bugtraq ID 33047):

2321 /*---------------------------------------------------------------------- 2322 ProcessStartGI An HTML GI has been read in a start tag. 2323 Create the corresponding Thot thing (element, attribute, 2324 or character), according to the mapping table. 2325 ----------------------------------------------------------------------*/ 2326 static void ProcessStartGI (const char* GIname) 2327 { 2331 char msgBuffer[MaxMsgLength]; . . . 2436 if (error) 2437 /* element not allowed in the current structural context */ 2438 { 2439 /* send an error message */ 2440 sprintf (msgBuffer, 2441 "Tag <%s> is not allowed here (removed when saving)", 2442 GIname); 2443 HTMLParseError (HTMLcontext.doc, msgBuffer, 0);

This is not an exhaustive enumeration of the stack-based buffer overflows that can be found in Amaya. Remarkably, in the unpatched version, files html2thot.c and xml2thot.c contain many general purpose buffers defined as

char msgBuffer[MaxMsgLength]

and the length of buffers is generally not checked in the functions using them (i.e. strcpy, sprintf, etcetera).

9. Report Timeline

  • 2008-12-18: Core notifies the vendor of the vulnerability.
  • 2008-12-19: Vendor requests information about versions tested.
  • 2008-12-19: Core notifies the vendor that the vulnerability was tested on Amaya 11.0 and 10.0 (Windows XP).
  • 2008-12-29: Core offers to send the advisory draft to the vendor and offers to negotiate the publication date.
  • 2009-01-08: Core sends the advisory draft to the vendor.
  • 2009-01-09: Vendor informs that the bugs were fixed in the CVS version and will be included in version 11.1 by the end of January.
  • 2009-01-12: Core requests a more precise date.
  • 2009-01-14: Vendor suggest to publish the advisory on January 28th at the same time of release of Amaya 11.1.
  • 2009-01-14: Core confirms the vendor that advisory CORE-2008-1211 will be published on January 28th.
  • 2009-01-28: Core publishes advisory CORE-2008-1211.

10. References

[1] Amaya Homepage http://www.w3.org/Amaya

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.