Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26067
HistoryApr 05, 2011 - 12:00 a.m.

RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilities

2011-04-0500:00:00
vulners.com
7

RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

CreateVistaTaskLow() -> allows to launch arbitrary commands
Exec() -> allows to launch arbitrary commands
ExecLow() -> allows to launch arbitrary commands
ShellExec() -> allows to launch arbitrary executables

other attacks are possible ,
see typelib:

class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} /
/
DISPID=1610612736 /
function QueryInterface(
/
VT_PTR [26] [in] –> ? [29] / &$riid,
/
VT_PTR [26] [out] –> VT_PTR [26] / &$ppvObj
)
{
}
/
DISPID=1610612737 /
/
VT_UI4 [19] /
function AddRef(
)
{
}
/
DISPID=1610612738 /
/
VT_UI4 [19] /
function Release(
)
{
}
/
DISPID=1610678272 /
function GetTypeInfoCount(
/
VT_PTR [26] [out] –> VT_UINT [23] / &$pctinfo
)
{
}
/
DISPID=1610678273 /
function GetTypeInfo(
/
VT_UINT [23] [in] / $itinfo,
/
VT_UI4 [19] [in] / $lcid,
/
VT_PTR [26] [out] –> VT_PTR [26] / &$pptinfo
)
{
}
/
DISPID=1610678274 /
function GetIDsOfNames(
/
VT_PTR [26] [in] –> ? [29] / &$riid,
/
VT_PTR [26] [in] –> VT_PTR [26] / &$rgszNames,
/
VT_UINT [23] [in] / $cNames,
/
VT_UI4 [19] [in] / $lcid,
/
VT_PTR [26] [out] –> VT_I4 [3] / &$rgdispid
)
{
}
/
DISPID=1610678275 /
function Invoke(
/
VT_I4 [3] [in] / $dispidMember,
/
VT_PTR [26] [in] –> ? [29] / &$riid,
/
VT_UI4 [19] [in] / $lcid,
/
VT_UI2 [18] [in] / $wFlags,
/
VT_PTR [26] [in] –> ? [29] / &$pdispparams,
/
VT_PTR [26] [out] –> VT_VARIANT [12] / &$pvarResult,
/
VT_PTR [26] [out] –> ? [29] / &$pexcepinfo,
/
VT_PTR [26] [out] –> VT_UINT [23] / &$puArgErr
)
{
}
/
DISPID=1 /
/
VT_BOOL [11] /
function Exec(
/
VT_PTR [26] [in] –> VT_BSTR [8] / &$mod,
/
VT_PTR [26] [in] –> VT_BSTR [8] / &$cmdline,
/
VT_BOOL [11] [in] / $__MIDL_0097,
/
VT_BOOL [11] [in] / $__MIDL_0098,
/
VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0099
)
{
/
method Exec /
}
/
DISPID=2 /
/
VT_BOOL [11] /
function IsFinished(
)
{
}
/
DISPID=3 /
/
VT_UI4 [19] /
function CreateNamedMutex(
/
VT_BSTR [8] [in] / $__MIDL_0102
)
{
}
/
DISPID=4 /
function ReleaseMutex(
/
VT_UI4 [19] [in] / $__MIDL_0104
)
{
}
/
DISPID=5 /
function CloseMutex(
/
VT_UI4 [19] [in] / $__MIDL_0105
)
{
}
/
DISPID=6 /
/
VT_BOOL [11] /
function ObtainMutex(
/
VT_UI4 [19] [in] / $__MIDL_0106
)
{
}
/
DISPID=7 /
/
VT_BOOL [11] /
function WaitOnMutex(
/
VT_UI4 [19] [in] / $__MIDL_0108,
/
VT_INT [22] [in] / $__MIDL_0109
)
{
}
/
DISPID=8 /
function CloseEvent(
/
VT_UI4 [19] [in] / $__MIDL_0111
)
{
}
/
DISPID=9 /
function FireEvent(
/
VT_UI4 [19] [in] / $__MIDL_0112
)
{
}
/
DISPID=10 /
/
VT_UI4 [19] /
function CreateNamedEvent(
/
VT_BSTR [8] [in] / $__MIDL_0113
)
{
}
/
DISPID=11 /
/
VT_UI4 [19] /
function ExitCode(
)
{
}
/
DISPID=12 /
function CreateVistaTaskLow(
/
VT_BSTR [8] [in] / $bstrExecutablePath,
/
VT_BSTR [8] [in] / $bstrArguments,
/
VT_BSTR [8] [in] / $workDir
)
{
}
/
DISPID=13 /
/
VT_BOOL [11] /
function ExecLow(
/
VT_BSTR [8] [in] / $__MIDL_0116,
/
VT_BSTR [8] [in] / $cmdline,
/
VT_PTR [26] [in] –> VT_BSTR [8] / &$workDir
)
{
}
/
DISPID=14 /
function ShellExec(
/
VT_BSTR [8] [in] / $__MIDL_0117
)
{
}
/
DISPID=15 /
function Sleep(
/
VT_UI4 [19] [in] */ $__MIDL_0118
)
{
}
}

binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010

poc:
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html