[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control Multiple Remote Command Execution
# Published : 2011-04-03
# Author : rgod
# Previous Title : RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control Multiple Remote Command Execution
# Next Title : Zend Server Java Bridge Arbitrary Java Code Execution
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilitiestested against Internet Explorer 9, Vista sp2download url: http://www.gamehouse.com/background:When choosing to play with theese online games ex. the game called"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exeThis setup program installs an ActiveX with the following settings:CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}Progid: StubbyUtil.ProcessMgr.1Binary Path: C:/Program Files/RealArcade/Installer/bin/InstallerDlg.dllSafe For Initialization (Registry): TrueSafe For Scripting (Registry): TrueThis control is safe for scripting and safe for initialization,so Internet Explorer will allow scripting of this control fromremote.vulnerability:This control has four methods implemented insecurely:CreateVistaTaskLow() -> allows to launch arbitrary commandsExec() -> allows to launch arbitrary commandsExecLow() -> allows to launch arbitrary commandsShellExec() -> allows to launch arbitrary executablesother attacks are possible , see typelib:class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */ /* DISPID=1610612736 */ function QueryInterface( /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj ) { } /* DISPID=1610612737 */ /* VT_UI4 [19] */ function AddRef( ) { } /* DISPID=1610612738 */ /* VT_UI4 [19] */ function Release( ) { } /* DISPID=1610678272 */ function GetTypeInfoCount( /* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo ) { } /* DISPID=1610678273 */ function GetTypeInfo( /* VT_UINT [23] [in] */ $itinfo, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo ) { } /* DISPID=1610678274 */ function GetIDsOfNames( /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames, /* VT_UINT [23] [in] */ $cNames, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid ) { } /* DISPID=1610678275 */ function Invoke( /* VT_I4 [3] [in] */ $dispidMember, /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_UI4 [19] [in] */ $lcid, /* VT_UI2 [18] [in] */ $wFlags, /* VT_PTR [26] [in] --> ? [29] */ &$pdispparams, /* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult, /* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo, /* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr ) { } /* DISPID=1 */ /* VT_BOOL [11] */ function Exec( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$mod, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$cmdline, /* VT_BOOL [11] [in] */ $__MIDL_0097, /* VT_BOOL [11] [in] */ $__MIDL_0098, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0099 ) { /* method Exec */ } /* DISPID=2 */ /* VT_BOOL [11] */ function IsFinished( ) { } /* DISPID=3 */ /* VT_UI4 [19] */ function CreateNamedMutex( /* VT_BSTR [8] [in] */ $__MIDL_0102 ) { } /* DISPID=4 */ function ReleaseMutex( /* VT_UI4 [19] [in] */ $__MIDL_0104 ) { } /* DISPID=5 */ function CloseMutex( /* VT_UI4 [19] [in] */ $__MIDL_0105 ) { } /* DISPID=6 */ /* VT_BOOL [11] */ function ObtainMutex( /* VT_UI4 [19] [in] */ $__MIDL_0106 ) { } /* DISPID=7 */ /* VT_BOOL [11] */ function WaitOnMutex( /* VT_UI4 [19] [in] */ $__MIDL_0108, /* VT_INT [22] [in] */ $__MIDL_0109 ) { } /* DISPID=8 */ function CloseEvent( /* VT_UI4 [19] [in] */ $__MIDL_0111 ) { } /* DISPID=9 */ function FireEvent( /* VT_UI4 [19] [in] */ $__MIDL_0112 ) { } /* DISPID=10 */ /* VT_UI4 [19] */ function CreateNamedEvent( /* VT_BSTR [8] [in] */ $__MIDL_0113 ) { } /* DISPID=11 */ /* VT_UI4 [19] */ function ExitCode( ) { } /* DISPID=12 */ function CreateVistaTaskLow( /* VT_BSTR [8] [in] */ $bstrExecutablePath, /* VT_BSTR [8] [in] */ $bstrArguments, /* VT_BSTR [8] [in] */ $workDir ) { } /* DISPID=13 */ /* VT_BOOL [11] */ function ExecLow( /* VT_BSTR [8] [in] */ $__MIDL_0116, /* VT_BSTR [8] [in] */ $cmdline, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workDir ) { } /* DISPID=14 */ function ShellExec( /* VT_BSTR [8] [in] */ $__MIDL_0117 ) { } /* DISPID=15 */ function Sleep( /* VT_UI4 [19] [in] */ $__MIDL_0118 ) { }}binary info:>lm -vm Image path: C:/Program Files/RealArcade/Installer/bin/InstallerDlg.dll Image name: InstallerDlg.dll Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04) CheckSum: 00000000 ImageSize: 00064000 File version: 2.6.0.445 Product version: 2.6.0.445 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 ProductName: InstallerDlg Module InternalName: InstallerDlg OriginalFilename: InstallerDlg.dll ProductVersion: 2.6.0.445 FileVersion: 2.6.0.445 FileDescription: InstallerDlg Module LegalCopyright: Copyright 2010poc: pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html http://www.exploit-db.com/sploits/9sg_StubbyUtil.ProcessMgr.1.zip