RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
ShellExec() -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} /
/ DISPID=1610612736 /
function QueryInterface(
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_PTR [26] [out] –> VT_PTR [26] / &$ppvObj
)
{
}
/ DISPID=1610612737 /
/ VT_UI4 [19] /
function AddRef(
)
{
}
/ DISPID=1610612738 /
/ VT_UI4 [19] /
function Release(
)
{
}
/ DISPID=1610678272 /
function GetTypeInfoCount(
/ VT_PTR [26] [out] –> VT_UINT [23] / &$pctinfo
)
{
}
/ DISPID=1610678273 /
function GetTypeInfo(
/ VT_UINT [23] [in] / $itinfo,
/ VT_UI4 [19] [in] / $lcid,
/ VT_PTR [26] [out] –> VT_PTR [26] / &$pptinfo
)
{
}
/ DISPID=1610678274 /
function GetIDsOfNames(
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_PTR [26] [in] –> VT_PTR [26] / &$rgszNames,
/ VT_UINT [23] [in] / $cNames,
/ VT_UI4 [19] [in] / $lcid,
/ VT_PTR [26] [out] –> VT_I4 [3] / &$rgdispid
)
{
}
/ DISPID=1610678275 /
function Invoke(
/ VT_I4 [3] [in] / $dispidMember,
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_UI4 [19] [in] / $lcid,
/ VT_UI2 [18] [in] / $wFlags,
/ VT_PTR [26] [in] –> ? [29] / &$pdispparams,
/ VT_PTR [26] [out] –> VT_VARIANT [12] / &$pvarResult,
/ VT_PTR [26] [out] –> ? [29] / &$pexcepinfo,
/ VT_PTR [26] [out] –> VT_UINT [23] / &$puArgErr
)
{
}
/ DISPID=1 /
function CreateShortcut(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$name,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$target,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$icon,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$workingDir,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$args
)
{
/ method CreateShortcut /
}
/ DISPID=2 /
function DeleteShortcut(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$name
)
{
/ method DeleteShortcut /
}
/ DISPID=3 /
/ VT_BSTR [8] /
function ModuleFileName(
)
{
/ method ModuleFileName /
}
/ DISPID=4 /
/ VT_BSTR [8] /
function GetSpecialFolder(
/ VT_UI4 [19] [in] / $__MIDL_0025
)
{
/ method GetSpecialFolder /
}
/ DISPID=5 /
/ VT_BOOL [11] /
function CheckWnd(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0026
)
{
/ method CheckWnd /
}
/ DISPID=6 /
/ VT_BSTR [8] /
function ExistingTPS(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0028
)
{
/ method ExistingTPS /
}
/ DISPID=7 /
function SetWorkingDir(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0030
)
{
/ method SetWorkingDir /
}
/ DISPID=8 /
/ VT_BSTR [8] /
function GetWorkingDir(
)
{
/ method GetWorkingDir /
}
/ DISPID=9 /
/ VT_R8 [5] /
function OSVersion(
)
{
/ method OSVersion /
}
/ DISPID=10 /
/ VT_BSTR [8] /
function GetSystemID(
)
{
/ method GetSystemID /
}
/ DISPID=11 /
function InstallFromCD(
/ VT_BSTR [8] [in] / $GameID,
/ VT_BSTR [8] [in] / $GameName,
/ VT_BSTR [8] [in] / $Tps,
/ VT_BSTR [8] [in] / $GameLang,
/ VT_BSTR [8] [in] / $CDPath,
/ VT_BSTR [8] [in] / $StoreFront
)
{
/ method InstallFromCD /
}
/ DISPID=12 /
/ VT_UI4 [19] /
function KillProcess(
/ VT_BSTR [8] [in] / $__MIDL_0033
)
{
/ method KillProcess /
}
/ DISPID=13 /
function RefreshAddRemovePrograms(
)
{
/ method RefreshAddRemovePrograms /
}
/ DISPID=14 /
function ShellExec(
/ VT_BSTR [8] [in] / $FilePath,
/ VT_BSTR [8] [in] / $Params
)
{
/ method ShellExec /
}
/ DISPID=15 /
function ShellExecRunAs(
/ VT_BSTR [8] [in] / $FilePath,
/ VT_BSTR [8] [in] / $Params
)
{
/ method ShellExecRunAs /
}
/ DISPID=16 /
/ VT_BSTR [8] /
function PlatformInfo(
)
{
/ method PlatformInfo /
}
/ DISPID=17 /
/ VT_BSTR [8] /
function GetAvailableDrive(
/ VT_INT [22] [in] / $reqSpace
)
{
/ method GetAvailableDrive /
}
/ DISPID=18 /
/ VT_BOOL [11] /
function InitializeStamp(
/ VT_BSTR [8] [in] / $exeName,
/ VT_INT [22] [in] / $offset
)
{
/ method InitializeStamp /
}
/ DISPID=19 /
/ VT_BSTR [8] /
function GetContentID(
)
{
/ method GetContentID /
}
/ DISPID=20 /
/ VT_BSTR [8] /
function GetTrackingID(
)
{
/ method GetTrackingID /
}
/ DISPID=21 /
/ VT_BSTR [8] /
function GetAffiliate(
)
{
/ method GetAffiliate /
}
/ DISPID=22 /
/ VT_BSTR [8] /
function GetCurrency(
)
{
/ method GetCurrency /
}
/ DISPID=23 /
/ VT_BSTR [8] /
function GetPrice(
)
{
/ method GetPrice /
}
/ DISPID=24 /
/ VT_BSTR [8] /
function GetTimestamp(
)
{
/ method GetTimestamp /
}
/ DISPID=25 /
/ VT_BSTR [8] /
function GetOTP(
)
{
/ method GetOTP /
}
/ DISPID=26 /
/ VT_BOOL [11] /
function CopyDocument(
/ VT_BSTR [8] [in] / $src,
/ VT_BSTR [8] [in] / $dest
)
{
/ method CopyDocument /
}
/ DISPID=27 /
function InstallerToForeground(
)
{
/ method InstallerToForeground /
}
/ DISPID=28 /
function MonitorLicenseFolder(
)
{
/ method MonitorLicenseFolder /
}
/ DISPID=29 /
function ShutdownLicenseFolderMonitor(
)
{
/ method ShutdownLicenseFolderMonitor /
}
/ DISPID=30 /
/ VT_BSTR [8] /
function GetFolderPath(
/ VT_UI4 [19] [in] / $__MIDL_0037
)
{
/ method GetFolderPath */
}
}
binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010
POC:
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html