Navigation

← Previous Changeset
Next Changeset →

Changeset 1529

Timestamp:

01/16/08 15:35:49 (8 months ago)

Author:

jose

Message:

[phoneyc]
found an exploit for QvodCtrl? at SecFocus?, add.
fix:
- add CLSID for QvodCtrl?
- look for URL and url - XXX case independent handling of methods etc?
- proper length check
- object instantiation can be done with name, not just id

Files:

phoneyc/trunk/ActiveX.py (modified) (1 diff)
phoneyc/trunk/honeyclient.py (modified) (1 diff)
phoneyc/trunk/modules/jscript/QvodCtrl.js (modified) (2 diffs)
phoneyc/trunk/tests/qvodctl-2.html (added)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

phoneyc/trunk/ActiveX.py

r1528	r1529
50	50	self.clsid['E9880553-B8A7-4960-A668-95C68BED571E'] = MacrovisionFlexNet()
51	51	self.clsid['A86934DA-C3D6-4C1C-BD83-CA4F14B362DE'] = PTZCamPanel()
	52	self.clsid['F3D0D36F-23F8-4682-A195-74C92B03D4AF'] = QvodCtrl()
52	53
53	54	self.clsname = {}

phoneyc/trunk/honeyclient.py

r1523	r1529
603	603	for i, j in attrs:
604	604	if i == 'id': obj_id = j
	605	if i == 'name': obj_id = j
605	606	obj = self.a.get_obj_by_clsid(v)
606	607	if not obj:

phoneyc/trunk/modules/jscript/QvodCtrl.js

r1528	r1529
6	6	p = p.toUpperCase();
7	7	if (p == 'URL') {
8		if (newv.length > ~~1024~~) {
	8	if (newv.length > 800) {
9	9	add_alert('Qvod Player QvodCtrl Class ActiveX Control overflow in URL property');
10	10	}
…	…
14	14	function QvodCtrl() {
15	15	this.url = '';
	16	this.URL = '';
16	17	this.watch('url', check_property_attr);
	18	this.watch('URL', check_property_attr);
17	19	}