cbcvebase.
CVE-2009-0323
published 2009-01-28

CVE-2009-0323: Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.49%
99.1th percentile
Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an "HTML GI" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005.

Affected

71 ranges· showing 25
VendorProductVersion rangeFixed in
w3amaya<= 11.0
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya
w3amaya

Detection & IOCsextracted from sources · hover to see the quote

other0x02101034
otherOffset: 6889 (bdo tag overflow, Amaya v11)
  • Detect exploitation attempts via overly long 'type' attribute in HTML <input> tags delivered over HTTP, targeting Amaya's EndOfXmlAttributeValue() function (xml2thot.c).
  • Detect exploitation attempts via overly long HTML GI (element name) in start tags, targeting Amaya's ProcessStartGI() function (html2thot.c); the overflow occurs when an error message appends 50 extra characters to the msgBuffer.
  • Monitor for HTTP responses containing malicious <bdo> tags with excessively long attribute strings (>6889 bytes) served to Amaya Browser v11.0 clients; the Metasploit module uses a payload space of 970 bytes with no null bytes.
  • The Metasploit exploit module targets wxmsw28u_core_vc_custom.dll for its RET address (0x02101034); presence of this DLL in Amaya process memory combined with anomalous stack activity is a strong indicator of exploitation.
  • ·The Metasploit module targets only Windows (win platform) and specifically Amaya Browser v11.0; the RET address and offset are specific to wxmsw28u_core_vc_custom.dll on that version.
  • ·The payload bad characters are null bytes only ('\x00'), and a stack adjustment of -3500 is used; detection signatures should account for this shellcode encoding constraint.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.