| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 2 Apr 2011 10:46:47 -0600
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code
Execution Vulnerabilities
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
ShellExec() -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] --> ? [29] */ &$pdispparams,
/* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult,
/* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo,
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr
)
{
}
/* DISPID=1 */
function CreateShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$target,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$icon,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workingDir,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$args
)
{
/* method CreateShortcut */
}
/* DISPID=2 */
function DeleteShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name
)
{
/* method DeleteShortcut */
}
/* DISPID=3 */
/* VT_BSTR [8] */
function ModuleFileName(
)
{
/* method ModuleFileName */
}
/* DISPID=4 */
/* VT_BSTR [8] */
function GetSpecialFolder(
/* VT_UI4 [19] [in] */ $__MIDL_0025
)
{
/* method GetSpecialFolder */
}
/* DISPID=5 */
/* VT_BOOL [11] */
function CheckWnd(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0026
)
{
/* method CheckWnd */
}
/* DISPID=6 */
/* VT_BSTR [8] */
function ExistingTPS(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0028
)
{
/* method ExistingTPS */
}
/* DISPID=7 */
function SetWorkingDir(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0030
)
{
/* method SetWorkingDir */
}
/* DISPID=8 */
/* VT_BSTR [8] */
function GetWorkingDir(
)
{
/* method GetWorkingDir */
}
/* DISPID=9 */
/* VT_R8 [5] */
function OSVersion(
)
{
/* method OSVersion */
}
/* DISPID=10 */
/* VT_BSTR [8] */
function GetSystemID(
)
{
/* method GetSystemID */
}
/* DISPID=11 */
function InstallFromCD(
/* VT_BSTR [8] [in] */ $GameID,
/* VT_BSTR [8] [in] */ $GameName,
/* VT_BSTR [8] [in] */ $Tps,
/* VT_BSTR [8] [in] */ $GameLang,
/* VT_BSTR [8] [in] */ $CDPath,
/* VT_BSTR [8] [in] */ $StoreFront
)
{
/* method InstallFromCD */
}
/* DISPID=12 */
/* VT_UI4 [19] */
function KillProcess(
/* VT_BSTR [8] [in] */ $__MIDL_0033
)
{
/* method KillProcess */
}
/* DISPID=13 */
function RefreshAddRemovePrograms(
)
{
/* method RefreshAddRemovePrograms */
}
/* DISPID=14 */
function ShellExec(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExec */
}
/* DISPID=15 */
function ShellExecRunAs(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExecRunAs */
}
/* DISPID=16 */
/* VT_BSTR [8] */
function PlatformInfo(
)
{
/* method PlatformInfo */
}
/* DISPID=17 */
/* VT_BSTR [8] */
function GetAvailableDrive(
/* VT_INT [22] [in] */ $reqSpace
)
{
/* method GetAvailableDrive */
}
/* DISPID=18 */
/* VT_BOOL [11] */
function InitializeStamp(
/* VT_BSTR [8] [in] */ $exeName,
/* VT_INT [22] [in] */ $offset
)
{
/* method InitializeStamp */
}
/* DISPID=19 */
/* VT_BSTR [8] */
function GetContentID(
)
{
/* method GetContentID */
}
/* DISPID=20 */
/* VT_BSTR [8] */
function GetTrackingID(
)
{
/* method GetTrackingID */
}
/* DISPID=21 */
/* VT_BSTR [8] */
function GetAffiliate(
)
{
/* method GetAffiliate */
}
/* DISPID=22 */
/* VT_BSTR [8] */
function GetCurrency(
)
{
/* method GetCurrency */
}
/* DISPID=23 */
/* VT_BSTR [8] */
function GetPrice(
)
{
/* method GetPrice */
}
/* DISPID=24 */
/* VT_BSTR [8] */
function GetTimestamp(
)
{
/* method GetTimestamp */
}
/* DISPID=25 */
/* VT_BSTR [8] */
function GetOTP(
)
{
/* method GetOTP */
}
/* DISPID=26 */
/* VT_BOOL [11] */
function CopyDocument(
/* VT_BSTR [8] [in] */ $src,
/* VT_BSTR [8] [in] */ $dest
)
{
/* method CopyDocument */
}
/* DISPID=27 */
function InstallerToForeground(
)
{
/* method InstallerToForeground */
}
/* DISPID=28 */
function MonitorLicenseFolder(
)
{
/* method MonitorLicenseFolder */
}
/* DISPID=29 */
function ShutdownLicenseFolderMonitor(
)
{
/* method ShutdownLicenseFolderMonitor */
}
/* DISPID=30 */
/* VT_BSTR [8] */
function GetFolderPath(
/* VT_UI4 [19] [in] */ $__MIDL_0037
)
{
/* method GetFolderPath */
}
}
binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010
POC:
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html
Powered by blists - more mailing lists