XUpload stack-based buffer overflow vulnerability
Yorick Koster, June 2007
A buffer overflow vulnerability exists in XUpload prior to version 220.127.116.11. This vulnerability allows attackers to execute arbitrary code with the privileges of the target user.
This issue was fixed in XUpload Service Release 18.104.22.168.
The XUpload ActiveX control is a client-side component the can be loaded in Internet Explorer. XUpload is used to upload arbitrary files to a web server. It is used to overcome some of the limitations that exist when the regular upload functionality of the browser is used (<input type="file" ...). XUpload allows uploading multiple files and even recursively entire directories. XUpload is marked "Safe for scripting" and "Safe for initialization".
Stack-based buffer overflow
The AddFile() method of XUpload does not properly check the length of the given file. The file name is copied in a fixed size buffer on the stack. This allows an attacker to trigger a buffer overflow on the stack. This buffer overflow can be used to fully overwrite the saved instruction pointer on the stack (EIP), thus an attacker can change the execution path of XUpload. Consequently, an attacker can inject and execute arbitrary code. This code will be executed with the privileges of the target user. This issue is demonstrated through the following proof of concept:
<object id="XUpload" name="XUpload" width="0" height="0"
<param name="Server" value="localhost">
<param name="Script" value="/upload.php">
var str = '';
for(var i = 0; i < 1024; i++)
str += unescape('%u4141%u4141%u4141%u4141%u4141');
window.onload = StartUpload;