[Full-disclosure] Move Networks Upgrade Manager QMPUpgrade.dll Buffer Overflow

Who:
Move Networks
http://www.movenetworks.com/

What:
Move Networks Quantum Streaming Player Upgrade Manager

How:
QMPUpgrade.dll version 1.0.0.1
{6054D082-355D-4B47-B77C-36A778899F48}

QMPUpgrade.dll is packaged with an older version of the Quantum
player. The player itself has several vulnerabilities, see
http://www.securityfocus.com/bid/25529, which were fixed in later
version(s). I can confirm this for version 7.7.4.39,
qsp2ie07074039.dll, digitally signed Tuesday, September 18, 2007
7:10:35 PM. What is interesting is what happens when you upgrade
from an older version of the player.

Old Path: Documents and Settings\All Users\Application Data\Move
Networks
New Path: Documents and Settings\%username%\Application Data\Move
Networks\ie_bin

Both versions use the same class id, when the player is upgraded,
the class id points to the newer version, however, the older
version is left as is, along with the vulnerable QMPUpgrade.dll
still registered.

Exploit:
http://milw0rm.com/exploits/4979

Workaround:
Newer version(s) of the player come bundled with an executable
called MovePlayerUpgrade.exe, so I am assuming that QMPUpgrade.dll
is no longer needed. Killbit it or better yet, remove it altogether.

Fix:
No official fix known

P.S. To SF and others, e.b. is my initials :)

–
Live your dreams. Click here to find information on becoming a lawyer.
http://tagline.hushmail.com/fc/Ioyw6h4fKhCPKyEBGODBuqbJgM0Y38sJNAXMugFnArEBr0pt1IXX4E/
Elazar

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/