[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080114195122.AF8D7D0039@mailserver10.hushmail.com>
Date: Mon, 14 Jan 2008 19:51:22 +0000
From: "Elazar Broad" <elazar@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc:
Subject: Macrovision FlexNet Connect DownloadManager
Insecure Methods
Who:
Macrovision
What:
Macrovision FlexNext Connect is a software package that allows
ISV's to update their software products. It is generally used in
conjunction with the InstallShield software deploymnet framework.
FlexNet uses a number of ActiveX controls, some of which are marked
safe for scripting, in this case, the DownloadManager object:
ISDM.exe version 6.1.100.61372
MVSNClientDownloadManager61Lib.DownloadManager
{FCED4482-7CCB-4E6F-86C9-DCB22B52843C}
IObjectSafety:
IO. Safe for scripting (IDispatch)
How:
This control contains several methods which can be used to silently
download arbitrary files to the system and possibly overwrite files
in the context of the user.
Workaround:
Set the killbit for this control and the Basket control(see Notes),
see http://support.microsoft.com/kb/240797
Fix:
None
Exploit;
http://milw0rm.com/exploits/4909
Notes:
The Basket object {1DF951B1-8D40-4894-A04C-66AD824A0EEF} of
isusweb.dll can be used in a similar manner to download and execute
files on a system via the ISDM scheduling framework, however, it
does so visibly.
I understand that some of this functionality is by design, however,
there should be some validation in place to verify that the files
that are being downloaded are indeed from a trusted source and are
--
Click here and choose from thousands of high quality used cars.
http://tagline.hushmail.com/fc/Ioyw6h4fKQ1cTGSIM7gFWipCcboNGVFhKad0XVtWL17fgTXnXnvcla/
updates to packages that are actually installed on the system.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists