RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilitiestested against Internet Explorer 9, Vista sp2download url: http://www.gamehouse.com/background:When choosing to play with theese online games ex. the game called"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exeThis setup program installs an ActiveX with the following settings:CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}Progid: StubbyUtil.ProcessMgr.1Binary Path: C:/Program Files/RealArcade/Installer/bin/InstallerDlg.dllSafe For Initialization (Registry): TrueSafe For Scripting (Registry): TrueThis control is safe for scripting and safe for initialization,so Internet Explorer will allow scripting of this control fromremote.vulnerability:This control has four methods implemented insecurely:CreateVistaTaskLow()      -> allows to launch arbitrary commandsExec()                    -> allows to launch arbitrary commandsExecLow()                 -> allows to launch arbitrary commandsShellExec()               -> allows to launch arbitrary executablesother attacks are possible , see typelib:class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */	/* DISPID=1610612736 */	function QueryInterface(		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$ppvObj 		)	{	}	/* DISPID=1610612737 */	/* VT_UI4 [19] */	function AddRef(		)	{	}	/* DISPID=1610612738 */	/* VT_UI4 [19] */	function Release(		)	{	}	/* DISPID=1610678272 */	function GetTypeInfoCount(		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$pctinfo 		)	{	}	/* DISPID=1610678273 */	function GetTypeInfo(		/* VT_UINT [23] [in] */ $itinfo,		/* VT_UI4 [19] [in] */ $lcid,		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$pptinfo 		)	{	}	/* DISPID=1610678274 */	function GetIDsOfNames(		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,		/* VT_PTR [26] [in] --> VT_PTR [26]  */ &$rgszNames,		/* VT_UINT [23] [in] */ $cNames,		/* VT_UI4 [19] [in] */ $lcid,		/* VT_PTR [26] [out] --> VT_I4 [3]  */ &$rgdispid 		)	{	}	/* DISPID=1610678275 */	function Invoke(		/* VT_I4 [3] [in] */ $dispidMember,		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,		/* VT_UI4 [19] [in] */ $lcid,		/* VT_UI2 [18] [in] */ $wFlags,		/* VT_PTR [26] [in] --> ? [29]  */ &$pdispparams,		/* VT_PTR [26] [out] --> VT_VARIANT [12]  */ &$pvarResult,		/* VT_PTR [26] [out] --> ? [29]  */ &$pexcepinfo,		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$puArgErr 		)	{	}	/* DISPID=1 */	/* VT_BOOL [11] */	function Exec(		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$mod,		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$cmdline,		/* VT_BOOL [11] [in] */ $__MIDL_0097,		/* VT_BOOL [11] [in] */ $__MIDL_0098,		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0099 		)	{		/* method Exec */	}	/* DISPID=2 */	/* VT_BOOL [11] */	function IsFinished(		)	{	}	/* DISPID=3 */	/* VT_UI4 [19] */	function CreateNamedMutex(		/* VT_BSTR [8] [in] */ $__MIDL_0102 		)	{	}	/* DISPID=4 */	function ReleaseMutex(		/* VT_UI4 [19] [in] */ $__MIDL_0104 		)	{	}	/* DISPID=5 */	function CloseMutex(		/* VT_UI4 [19] [in] */ $__MIDL_0105 		)	{	}	/* DISPID=6 */	/* VT_BOOL [11] */	function ObtainMutex(		/* VT_UI4 [19] [in] */ $__MIDL_0106 		)	{	}	/* DISPID=7 */	/* VT_BOOL [11] */	function WaitOnMutex(		/* VT_UI4 [19] [in] */ $__MIDL_0108,		/* VT_INT [22] [in] */ $__MIDL_0109 		)	{	}	/* DISPID=8 */	function CloseEvent(		/* VT_UI4 [19] [in] */ $__MIDL_0111 		)	{	}	/* DISPID=9 */	function FireEvent(		/* VT_UI4 [19] [in] */ $__MIDL_0112 		)	{	}	/* DISPID=10 */	/* VT_UI4 [19] */	function CreateNamedEvent(		/* VT_BSTR [8] [in] */ $__MIDL_0113 		)	{	}	/* DISPID=11 */	/* VT_UI4 [19] */	function ExitCode(		)	{	}	/* DISPID=12 */	function CreateVistaTaskLow(		/* VT_BSTR [8] [in] */ $bstrExecutablePath,		/* VT_BSTR [8] [in] */ $bstrArguments,		/* VT_BSTR [8] [in] */ $workDir 		)	{	}	/* DISPID=13 */	/* VT_BOOL [11] */	function ExecLow(		/* VT_BSTR [8] [in] */ $__MIDL_0116,		/* VT_BSTR [8] [in] */ $cmdline,		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$workDir 		)	{	}	/* DISPID=14 */	function ShellExec(		/* VT_BSTR [8] [in] */ $__MIDL_0117 		)	{	}	/* DISPID=15 */	function Sleep(		/* VT_UI4 [19] [in] */ $__MIDL_0118 		)	{	}}binary info:>lm -vm    Image path: C:/Program Files/RealArcade/Installer/bin/InstallerDlg.dll    Image name: InstallerDlg.dll    Timestamp:        Mon Mar 14 14:22:44 2011 (4D7E6B04)    CheckSum:         00000000    ImageSize:        00064000    File version:     2.6.0.445    Product version:  2.6.0.445    File flags:       0 (Mask 3F)    File OS:          4 Unknown Win32    File type:        2.0 Dll    File date:        00000000.00000000    Translations:     0409.04b0    ProductName:      InstallerDlg Module    InternalName:     InstallerDlg    OriginalFilename: InstallerDlg.dll    ProductVersion:   2.6.0.445    FileVersion:      2.6.0.445    FileDescription:  InstallerDlg Module    LegalCopyright:   Copyright 2010poc: pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html                      http://www.exploit-db.com/sploits/9sg_StubbyUtil.ProcessMgr.1.zip