Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26066
HistoryApr 05, 2011 - 12:00 a.m.

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code Execution Vulnerabilities

2011-04-0500:00:00
vulners.com
29
JSON

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

ShellExec() -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders

other attacks are possible including information disclosure and file deletion,
see typelib:

class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} /
/ DISPID=1610612736 /
function QueryInterface(
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_PTR [26] [out] –> VT_PTR [26] / &$ppvObj
)
{
}
/ DISPID=1610612737 /
/ VT_UI4 [19] /
function AddRef(
)
{
}
/ DISPID=1610612738 /
/ VT_UI4 [19] /
function Release(
)
{
}
/ DISPID=1610678272 /
function GetTypeInfoCount(
/ VT_PTR [26] [out] –> VT_UINT [23] / &$pctinfo
)
{
}
/ DISPID=1610678273 /
function GetTypeInfo(
/ VT_UINT [23] [in] / $itinfo,
/ VT_UI4 [19] [in] / $lcid,
/ VT_PTR [26] [out] –> VT_PTR [26] / &$pptinfo
)
{
}
/ DISPID=1610678274 /
function GetIDsOfNames(
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_PTR [26] [in] –> VT_PTR [26] / &$rgszNames,
/ VT_UINT [23] [in] / $cNames,
/ VT_UI4 [19] [in] / $lcid,
/ VT_PTR [26] [out] –> VT_I4 [3] / &$rgdispid
)
{
}
/ DISPID=1610678275 /
function Invoke(
/ VT_I4 [3] [in] / $dispidMember,
/ VT_PTR [26] [in] –> ? [29] / &$riid,
/ VT_UI4 [19] [in] / $lcid,
/ VT_UI2 [18] [in] / $wFlags,
/ VT_PTR [26] [in] –> ? [29] / &$pdispparams,
/ VT_PTR [26] [out] –> VT_VARIANT [12] / &$pvarResult,
/ VT_PTR [26] [out] –> ? [29] / &$pexcepinfo,
/ VT_PTR [26] [out] –> VT_UINT [23] / &$puArgErr
)
{
}
/ DISPID=1 /
function CreateShortcut(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$name,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$target,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$icon,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$workingDir,
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$args
)
{
/ method CreateShortcut /
}
/ DISPID=2 /
function DeleteShortcut(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$name
)
{
/ method DeleteShortcut /
}
/ DISPID=3 /
/ VT_BSTR [8] /
function ModuleFileName(
)
{
/ method ModuleFileName /
}
/ DISPID=4 /
/ VT_BSTR [8] /
function GetSpecialFolder(
/ VT_UI4 [19] [in] / $__MIDL_0025
)
{
/ method GetSpecialFolder /
}
/ DISPID=5 /
/ VT_BOOL [11] /
function CheckWnd(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0026
)
{
/ method CheckWnd /
}
/ DISPID=6 /
/ VT_BSTR [8] /
function ExistingTPS(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0028
)
{
/ method ExistingTPS /
}
/ DISPID=7 /
function SetWorkingDir(
/ VT_PTR [26] [in] –> VT_BSTR [8] / &$__MIDL_0030
)
{
/ method SetWorkingDir /
}
/ DISPID=8 /
/ VT_BSTR [8] /
function GetWorkingDir(
)
{
/ method GetWorkingDir /
}
/ DISPID=9 /
/ VT_R8 [5] /
function OSVersion(
)
{
/ method OSVersion /
}
/ DISPID=10 /
/ VT_BSTR [8] /
function GetSystemID(
)
{
/ method GetSystemID /
}
/ DISPID=11 /
function InstallFromCD(
/ VT_BSTR [8] [in] / $GameID,
/ VT_BSTR [8] [in] / $GameName,
/ VT_BSTR [8] [in] / $Tps,
/ VT_BSTR [8] [in] / $GameLang,
/ VT_BSTR [8] [in] / $CDPath,
/ VT_BSTR [8] [in] / $StoreFront
)
{
/ method InstallFromCD /
}
/ DISPID=12 /
/ VT_UI4 [19] /
function KillProcess(
/ VT_BSTR [8] [in] / $__MIDL_0033
)
{
/ method KillProcess /
}
/ DISPID=13 /
function RefreshAddRemovePrograms(
)
{
/ method RefreshAddRemovePrograms /
}
/ DISPID=14 /
function ShellExec(
/ VT_BSTR [8] [in] / $FilePath,
/ VT_BSTR [8] [in] / $Params
)
{
/ method ShellExec /
}
/ DISPID=15 /
function ShellExecRunAs(
/ VT_BSTR [8] [in] / $FilePath,
/ VT_BSTR [8] [in] / $Params
)
{
/ method ShellExecRunAs /
}
/ DISPID=16 /
/ VT_BSTR [8] /
function PlatformInfo(
)
{
/ method PlatformInfo /
}
/ DISPID=17 /
/ VT_BSTR [8] /
function GetAvailableDrive(
/ VT_INT [22] [in] / $reqSpace
)
{
/ method GetAvailableDrive /
}
/ DISPID=18 /
/ VT_BOOL [11] /
function InitializeStamp(
/ VT_BSTR [8] [in] / $exeName,
/ VT_INT [22] [in] / $offset
)
{
/ method InitializeStamp /
}
/ DISPID=19 /
/ VT_BSTR [8] /
function GetContentID(
)
{
/ method GetContentID /
}
/ DISPID=20 /
/ VT_BSTR [8] /
function GetTrackingID(
)
{
/ method GetTrackingID /
}
/ DISPID=21 /
/ VT_BSTR [8] /
function GetAffiliate(
)
{
/ method GetAffiliate /
}
/ DISPID=22 /
/ VT_BSTR [8] /
function GetCurrency(
)
{
/ method GetCurrency /
}
/ DISPID=23 /
/ VT_BSTR [8] /
function GetPrice(
)
{
/ method GetPrice /
}
/ DISPID=24 /
/ VT_BSTR [8] /
function GetTimestamp(
)
{
/ method GetTimestamp /
}
/ DISPID=25 /
/ VT_BSTR [8] /
function GetOTP(
)
{
/ method GetOTP /
}
/ DISPID=26 /
/ VT_BOOL [11] /
function CopyDocument(
/ VT_BSTR [8] [in] / $src,
/ VT_BSTR [8] [in] / $dest
)
{
/ method CopyDocument /
}
/ DISPID=27 /
function InstallerToForeground(
)
{
/ method InstallerToForeground /
}
/ DISPID=28 /
function MonitorLicenseFolder(
)
{
/ method MonitorLicenseFolder /
}
/ DISPID=29 /
function ShutdownLicenseFolderMonitor(
)
{
/ method ShutdownLicenseFolderMonitor /
}
/ DISPID=30 /
/ VT_BSTR [8] /
function GetFolderPath(
/ VT_UI4 [19] [in] / $__MIDL_0037
)
{
/ method GetFolderPath */
}
}

binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010

POC:

pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html

JSON