RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code Execution Vulnerabilities tested against Internet Explorer 9, Vista sp2 download url: http://www.gamehouse.com/ background: When choosing to play with theese online games ex. the game called "My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life ) you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe This setup program installs an ActiveX with the following settings: CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B} Progid: StubbyUtil.ShellCtl.1 Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll Safe For Initialization (Registry): True Safe For Scripting (Registry): True This control is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote. vulnerability: This control has four methods implemented insecurely: ShellExec() -> allows to launch arbitrary commands ShellExecRunAs() -> allows to launch arbitrary commands CreateShortcut() -> allows to create arbitrary executable files inside the automatic startup folders CopyDocument() -> allows to copy arbitrary executable files from a remote network share to local folders, ex. automatic startup folders other attacks are possible including information disclosure and file deletion, see typelib: class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */ /* DISPID=1610612736 */ function QueryInterface( /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj ) { } /* DISPID=1610612737 */ /* VT_UI4 [19] */ function AddRef( ) { } /* DISPID=1610612738 */ /* VT_UI4 [19] */ function Release( ) { } /* DISPID=1610678272 */ function GetTypeInfoCount( /* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo ) { } /* DISPID=1610678273 */ function GetTypeInfo( /* VT_UINT [23] [in] */ $itinfo, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo ) { } /* DISPID=1610678274 */ function GetIDsOfNames( /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames, /* VT_UINT [23] [in] */ $cNames, /* VT_UI4 [19] [in] */ $lcid, /* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid ) { } /* DISPID=1610678275 */ function Invoke( /* VT_I4 [3] [in] */ $dispidMember, /* VT_PTR [26] [in] --> ? [29] */ &$riid, /* VT_UI4 [19] [in] */ $lcid, /* VT_UI2 [18] [in] */ $wFlags, /* VT_PTR [26] [in] --> ? [29] */ &$pdispparams, /* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult, /* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo, /* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr ) { } /* DISPID=1 */ function CreateShortcut( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$target, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$icon, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workingDir, /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$args ) { /* method CreateShortcut */ } /* DISPID=2 */ function DeleteShortcut( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name ) { /* method DeleteShortcut */ } /* DISPID=3 */ /* VT_BSTR [8] */ function ModuleFileName( ) { /* method ModuleFileName */ } /* DISPID=4 */ /* VT_BSTR [8] */ function GetSpecialFolder( /* VT_UI4 [19] [in] */ $__MIDL_0025 ) { /* method GetSpecialFolder */ } /* DISPID=5 */ /* VT_BOOL [11] */ function CheckWnd( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0026 ) { /* method CheckWnd */ } /* DISPID=6 */ /* VT_BSTR [8] */ function ExistingTPS( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0028 ) { /* method ExistingTPS */ } /* DISPID=7 */ function SetWorkingDir( /* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0030 ) { /* method SetWorkingDir */ } /* DISPID=8 */ /* VT_BSTR [8] */ function GetWorkingDir( ) { /* method GetWorkingDir */ } /* DISPID=9 */ /* VT_R8 [5] */ function OSVersion( ) { /* method OSVersion */ } /* DISPID=10 */ /* VT_BSTR [8] */ function GetSystemID( ) { /* method GetSystemID */ } /* DISPID=11 */ function InstallFromCD( /* VT_BSTR [8] [in] */ $GameID, /* VT_BSTR [8] [in] */ $GameName, /* VT_BSTR [8] [in] */ $Tps, /* VT_BSTR [8] [in] */ $GameLang, /* VT_BSTR [8] [in] */ $CDPath, /* VT_BSTR [8] [in] */ $StoreFront ) { /* method InstallFromCD */ } /* DISPID=12 */ /* VT_UI4 [19] */ function KillProcess( /* VT_BSTR [8] [in] */ $__MIDL_0033 ) { /* method KillProcess */ } /* DISPID=13 */ function RefreshAddRemovePrograms( ) { /* method RefreshAddRemovePrograms */ } /* DISPID=14 */ function ShellExec( /* VT_BSTR [8] [in] */ $FilePath, /* VT_BSTR [8] [in] */ $Params ) { /* method ShellExec */ } /* DISPID=15 */ function ShellExecRunAs( /* VT_BSTR [8] [in] */ $FilePath, /* VT_BSTR [8] [in] */ $Params ) { /* method ShellExecRunAs */ } /* DISPID=16 */ /* VT_BSTR [8] */ function PlatformInfo( ) { /* method PlatformInfo */ } /* DISPID=17 */ /* VT_BSTR [8] */ function GetAvailableDrive( /* VT_INT [22] [in] */ $reqSpace ) { /* method GetAvailableDrive */ } /* DISPID=18 */ /* VT_BOOL [11] */ function InitializeStamp( /* VT_BSTR [8] [in] */ $exeName, /* VT_INT [22] [in] */ $offset ) { /* method InitializeStamp */ } /* DISPID=19 */ /* VT_BSTR [8] */ function GetContentID( ) { /* method GetContentID */ } /* DISPID=20 */ /* VT_BSTR [8] */ function GetTrackingID( ) { /* method GetTrackingID */ } /* DISPID=21 */ /* VT_BSTR [8] */ function GetAffiliate( ) { /* method GetAffiliate */ } /* DISPID=22 */ /* VT_BSTR [8] */ function GetCurrency( ) { /* method GetCurrency */ } /* DISPID=23 */ /* VT_BSTR [8] */ function GetPrice( ) { /* method GetPrice */ } /* DISPID=24 */ /* VT_BSTR [8] */ function GetTimestamp( ) { /* method GetTimestamp */ } /* DISPID=25 */ /* VT_BSTR [8] */ function GetOTP( ) { /* method GetOTP */ } /* DISPID=26 */ /* VT_BOOL [11] */ function CopyDocument( /* VT_BSTR [8] [in] */ $src, /* VT_BSTR [8] [in] */ $dest ) { /* method CopyDocument */ } /* DISPID=27 */ function InstallerToForeground( ) { /* method InstallerToForeground */ } /* DISPID=28 */ function MonitorLicenseFolder( ) { /* method MonitorLicenseFolder */ } /* DISPID=29 */ function ShutdownLicenseFolderMonitor( ) { /* method ShutdownLicenseFolderMonitor */ } /* DISPID=30 */ /* VT_BSTR [8] */ function GetFolderPath( /* VT_UI4 [19] [in] */ $__MIDL_0037 ) { /* method GetFolderPath */ } } binary info: >lm -vm Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll Image name: InstallerDlg.dll Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04) CheckSum: 00000000 ImageSize: 00064000 File version: 2.6.0.445 Product version: 2.6.0.445 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 ProductName: InstallerDlg Module InternalName: InstallerDlg OriginalFilename: InstallerDlg.dll ProductVersion: 2.6.0.445 FileVersion: 2.6.0.445 FileDescription: InstallerDlg Module LegalCopyright: Copyright 2010 POC: pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html http://www.exploit-db.com/sploits/9sg_StubbyUtil.ShellCtl.1.zip