lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20080115161643.DC7E6D0039@mailserver10.hushmail.com>
Date: Tue, 15 Jan 2008 16:16:43 +0000
From: "Elazar Broad" <elazar@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: Macrovision FlexNet Connect DownloadManager
	Insecure Methods

Forget downloading files to the startup directory, it looks like 
Macrovision still hasn't fixed the DownloadAndExecute() method of 
isusweb.dll. I believe that this issue is similar to this one: 
http://www.securityfocus.com/bid/26280(maybe someone from iDefense 
could confirm that?), just that this is a different classid and a 
newer version of isusweb(different framework too?).

isusweb.dll version 6.1.100.61372,Macrovision FLEXnet Connect Web 
Agent
Digitally signed March 29th, 2007
{1DF951B1-8D40-4894-A04C-66AD824A0EEF}
MVSNClientWebAgent61.WebAgent 


Exploit code is(will be) on Milw0rm, exploiting this is pretty self 
explanatory though...

Elazar

On Mon, 14 Jan 2008 19:51:22 +0000 Elazar Broad 
<elazar@...hmail.com> wrote:
>Who:
>Macrovision
>
>What:
>Macrovision FlexNext Connect is a software package that allows 
>ISV's to update their software products. It is generally used in 
>conjunction with the InstallShield software deploymnet framework.
>
>FlexNet uses a number of ActiveX controls, some of which are 
>marked 
>safe for scripting, in this case, the DownloadManager object:
>
>ISDM.exe version 6.1.100.61372
>MVSNClientDownloadManager61Lib.DownloadManager
>{FCED4482-7CCB-4E6F-86C9-DCB22B52843C}
> IObjectSafety:
> IO. Safe for scripting (IDispatch)
>
>How:
>This control contains several methods which can be used to 
>silently 
>download arbitrary files to the system and possibly overwrite 
>files 
>in the context of the user.
>
>Workaround:
>Set the killbit for this control and the Basket control(see 
>Notes), 
>see http://support.microsoft.com/kb/240797
>
>Fix:
>None
>
>Exploit;
>http://milw0rm.com/exploits/4909
>
>Notes:
>The Basket object {1DF951B1-8D40-4894-A04C-66AD824A0EEF} of 
>isusweb.dll can be used in a similar manner to download and 
>execute 
>files on a system via the ISDM scheduling framework, however, it 
>does so visibly.
>
>I understand that some of this functionality is by design, 
>however, 
>there should be some validation in place to verify that the files 
>that are being downloaded are indeed from a trusted source and are 
>
>
>--
>Click here and choose from thousands of high quality used cars.
>http://tagline.hushmail.com/fc/Ioyw6h4fKQ1cTGSIM7gFWipCcboNGVFhKad0
>XVtWL17fgTXnXnvcla/
>updates to packages that are actually installed on the system.    
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html

--
Enhance your home's curb appeal with name brand shutters. Click now.
http://tagline.hushmail.com/fc/Ioyw6h4dZriwl5t7kxJV37MvYEv2FMXTWrouoE37CYs1W9JAhwHOe0/
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ