CVE-2008-5282
published 2008-11-29CVE-2008-5282: Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 allow remote attackers to execute arbitrary code via (1) a link with a long HREF…
PriorityP357critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.64%
96.8th percentile
Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 allow remote attackers to execute arbitrary code via (1) a link with a long HREF attribute, and (2) a DIV tag with a long id attribute.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| w3c | amaya_web_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stack overflow triggered via a long HREF attribute in a link element (URL bar vector). Payload is delivered through the URL bar or via 'Create or change link...' dialog. Detect abnormally long HREF values in HTML content served to Amaya. ↗
- →EIP overwrite return address used in both PoC exploits is 0x7D035F53 (\x53\x5f\x03\x7d). Presence of this 4-byte sequence at the EIP-overwrite offset in a payload targeting Amaya is a strong indicator of exploitation. ↗
- ·The PoC exploits target Amaya 10.1 while the CVE references 10.0.1; both versions are affected by the same overflow vectors. ↗
- ·The max usable byte value in shellcode is 0x1fffff due to the TtaWCToMBstring wchar_t conversion function; exploit shellcode must be crafted to stay within this constraint, limiting standard shellcode reuse. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
W3C Amaya 10.1 Web Browser - 'id' Remote Stack Overflow (PoC)
exploitdb·2008-11-24
CVE-2008-5282 W3C Amaya 10.1 Web Browser - 'id' Remote Stack Overflow (PoC)
W3C Amaya 10.1 Web Browser - 'id' Remote Stack Overflow (PoC)
---
# W3C Amaya 10.1 Web Browser
#
# Amaya (id) Remote Stack Overflow Vulnerability
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# Advisory: http://www.bmgsec.com.au/advisory/41/
# ------------------------------------------------------
#
# Shellcode notes:
# The application fails to correctly process certain bytes:
# 0x9c becomes 0x9cc2
# Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93, 0xab, 0xaf 0xeb).
#
# After reviewing the source code, the below function modifies the
# shellcode:
# Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
#
# The max value which can be used is 0x1fffff r0ut3r
#
# The application will not overflow with normal alphanumeric c
Exploit-DB
W3C Amaya 10.1 Web Browser - URL Bar Remote Stack Overflow (PoC)
exploitdb·2008-11-24
CVE-2008-5282 W3C Amaya 10.1 Web Browser - URL Bar Remote Stack Overflow (PoC)
W3C Amaya 10.1 Web Browser - URL Bar Remote Stack Overflow (PoC)
---
# W3C Amaya 10.1 Web Browser
#
# Amaya (URL Bar) Remote Stack Overflow Vulnerability
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
#
# Advisory: http://www.bmgsec.com.au/advisory/40/
# ------------------------------------------------------
#
# Shellcode notes:
# The application fails to correctly process certain bytes:
# 0x9c becomes 0x9cc2
# Similar events occur with different bytes (0xf8, 0xfb, 0xbe, 0x93, 0xab, 0xaf 0xeb).
#
# After reviewing the source code, the below function modifies the
# shellcode:
# Line 902: int TtaWCToMBstring (wchar_t src, unsigned char **dest)
#
# The max value which can be used is 0x1fffff > "Create or change link...".
# Now click "Confirm". Alternativ
No writeups or analysis indexed.
http://osvdb.org/50282http://osvdb.org/50283http://secunia.com/advisories/32848http://securityreason.com/securityalert/4657http://www.bmgsec.com.au/advisory/40/http://www.bmgsec.com.au/advisory/41/http://www.securityfocus.com/archive/1/498578/100/0/threadedhttp://www.securityfocus.com/archive/1/498583/100/0/threadedhttp://www.securityfocus.com/bid/32442http://www.vupen.com/english/advisories/2008/3255http://osvdb.org/50282http://osvdb.org/50283http://secunia.com/advisories/32848http://securityreason.com/securityalert/4657http://www.bmgsec.com.au/advisory/40/http://www.bmgsec.com.au/advisory/41/http://www.securityfocus.com/archive/1/498578/100/0/threadedhttp://www.securityfocus.com/archive/1/498583/100/0/threadedhttp://www.securityfocus.com/bid/32442http://www.vupen.com/english/advisories/2008/3255
2008-11-29
Published