| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2005 07:37:40 -0700 From: "Hyperdose Security" <robfly@...erdose.com> To: <bugtraq@...urityfocus.com> Subject: Trojan file issue in Musicmatch software Hyperdose Security Advisory Name: Arbitrary file overwrite in Musicmatch Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo v9.00.5059 and earlier are also affected) Severity: Moderate Author: Robert Fly - robfly@...erdose.com Advisory URL: http://www.hyperdose.com/advisories/H2005-05.txt --MusicMatch Description-- From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find and organize your music, giving you ultimate control of your music experience." In September 04 Musicmatch was purchased by Yahoo! Inc. --Bug Details-- CreateProcess has known issues with launching files. For example, when making a call like: CreateProcess(NULL, "C:\Program Files\app\launch.exe", ...) The API will first look for c:\program.exe, instead of what most would expect (to open launch.exe). To fix the path must be quoted. More details can be found here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/ht ml/appsec.asp MMFWLaunch.exe versions earlier then 10.00.2047 contain this vulnerability. To reproduce, create a file on your root drive called program.exe. Then launch MMFWLaunch.exe (located under c:\program files\musicmatch\Musicmatch Jukebox\), on vulnerable versions you should see that program launched several times instead of the actual MMFWLaunch. Through normal means, you can come across this by navigating to File->Create CD From Current Playlist in the core Musicmatch UI. Although not possible on WinXP, previous versions of Windows had looser ACLs on the root drive. Meaning an attacker using a shared computer could get their victim to run their code instead of launching this Musicmatch file by taking advantage of this vulnerability. Musicmatch has now fixed this vulnerability by quoting the path passed into the CreateProcessAPI. --Fix Information-- As of 3/21/05 Yahoo has released a new version which fixes this vulnerability. I have witheld vulnerability details until now so that MusicMatch automatic updates had a chance to propogate. Downloads available here: http://www.musicmatch.com/download/free/security.htm Security FAQ available here: http://www.musicmatch.com/info/user_guide/faq/security_updates.htm --About Hyperdose-- Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle. We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing. web www.hyperdose.com email robfly@...erdose.com
Powered by blists - more mailing lists