CVE-2009-0323
published 2009-01-28CVE-2009-0323: Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.49%
99.1th percentile
Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0 and 11.0 allow remote attackers to execute arbitrary code via (1) a long type parameter in an input tag, which is not properly handled by the EndOfXmlAttributeValue function; (2) an "HTML GI" in a start tag, which is not properly handled by the ProcessStartGI function; and unspecified vectors in (3) html2thot.c and (4) xml2thot.c, related to the msgBuffer variable. NOTE: these are different vectors than CVE-2008-6005.
Affected
71 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| w3 | amaya | <= 11.0 | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
| w3 | amaya | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts via overly long 'type' attribute in HTML <input> tags delivered over HTTP, targeting Amaya's EndOfXmlAttributeValue() function (xml2thot.c). ↗
- →Detect exploitation attempts via overly long HTML GI (element name) in start tags, targeting Amaya's ProcessStartGI() function (html2thot.c); the overflow occurs when an error message appends 50 extra characters to the msgBuffer. ↗
- →Monitor for HTTP responses containing malicious <bdo> tags with excessively long attribute strings (>6889 bytes) served to Amaya Browser v11.0 clients; the Metasploit module uses a payload space of 970 bytes with no null bytes. ↗
- →The Metasploit exploit module targets wxmsw28u_core_vc_custom.dll for its RET address (0x02101034); presence of this DLL in Amaya process memory combined with anomalous stack activity is a strong indicator of exploitation. ↗
- ·The Metasploit module targets only Windows (win platform) and specifically Amaya Browser v11.0; the RET address and offset are specific to wxmsw28u_core_vc_custom.dll on that version. ↗
- ·The payload bad characters are null bytes only ('\x00'), and a stack adjustment of -3500 is used; detection signatures should account for this shellcode encoding constraint. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2009-0323 Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
---
##
# $Id: amaya_bdo.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Amaya Browser v11.0 bdo tag overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Amaya v11 Browser.
By sending an overly long string to the "bdo"
tag, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'dookie, original exploit by Rob Carter' ],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2009
Exploit-DB
Amaya Web Editor 11.0 - XML / HTML Parser
exploitdb·2009-01-28
CVE-2009-0323 Amaya Web Editor 11.0 - XML / HTML Parser
Amaya Web Editor 11.0 - XML / HTML Parser
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Amaya web editor XML and HTML parser vulnerabilities
1. *Advisory Information*
Title: Amaya web editor XML and HTML parser vulnerabilities
Advisory ID: CORE-2008-1211
Advisory URL: http://www.coresecurity.com/content/amaya-buffer-overflows
Date published: 2009-01-28
Date of last update: 2009-01-26
Vendors contacted: INRIA
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 33046, 33047
CVE Name: N/A
3. *Vulnerability Description*
Amaya is the W3C's Web editor/browser, a tool used to create and update
docume
Metasploit
Amaya Browser v11.0 'bdo' Tag Overflow
metasploit
Amaya Browser v11.0 'bdo' Tag Overflow
Amaya Browser v11.0 'bdo' Tag Overflow
This module exploits a stack buffer overflow in the Amaya v11 Browser. By sending an overly long string to the "bdo" tag, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://www.coresecurity.com/content/amaya-buffer-overflowshttp://www.securityfocus.com/archive/1/500492/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/48325https://www.exploit-db.com/exploits/7902http://www.coresecurity.com/content/amaya-buffer-overflowshttp://www.securityfocus.com/archive/1/500492/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/48325https://www.exploit-db.com/exploits/7902
2009-01-28
Published