Title : FeedDemon Buffer OverFlow Vulnerability
1. General Information
FeedDemon is known as the most popular Windows RSS Reader which allows users
to view and manage easily RSS feeds from their desktop. In January 2009,
SVRT-BKIS detected a buffer overflow vulnerability in this software. Taking
advantage of this flaw, hackers can perform remote attacks, install viruses,
steal private information, and even take control of users' systems. We have
sent the alert to the manufacturer.
III. BACKGROUND
-------------------------
Back in 2006, there was interesting research done by James Holderness[1] and
James M. Snell[2] which uncovered a variety of XSS issues in various online
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
# Risk : SQL Injection
##########################################################
Description:
Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator
written in php. There are some SQL Injection issues in Gregarius
that allow for the disclosure of database contents and ultimately
the complete compromise of the Gregarius installation via exposed
admin credentials. It is advised that Gregarius users update their
gregarius installations as soon as possible.
Cross Context Scripting (XCS) is a term coined
for a browser based content injection in the
Firefox chrome zone. This term was originally
used by researcher Petro D. Petkov (pdp), when
David Kierznowski found a vulnerability in the
Sage RSS Reader Firefox extension .
XCS injection occurs between different
security zones, an untrusted and a trusted
zone.
This paper details several XCS cases. XCS
Hi,
This is a cross-zone scripting vulnerability.
FeedReader uses the IE browser control to render HTML.
The RSS reader converts the RSS item data to a formatted HTML file and
caches it locally.
When the user clicks on the RSS item, the RSS reader displays the local
cached file, and any script in that file (or external references) will run
in Local Zone.
Therefore, an attacker can create/manipulate an RSS feed that will execute
Vulnerability : missing input sanitising
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5837
Duncan Gilmore discovered that yarssr, an RSS aggregator and reader,
performs insufficient input sanitising, which could result in the
execution of arbitrary shell commands if a malformed feed is read.
For the stable distribution (etch), this problem has been fixed in
version 0.2.2-1etch1.
Marc Ruef at scip AG found a design vulnerability in the current Release
8.5.
The product provides some widgets which can be added and enabled by the
user. One of those widgets provide a simple RSS reader.
This reader downloads the RSS file, extracts the items and saves them
locally as HTML files.
The interpretation and display of the RSS items is handled by the
