[NT] CNet CatchUp Arbitrary Code Execution

From: support@securiteam.com
Date: 02/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 24 Feb 2002 23:27:37 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  CNet CatchUp Arbitrary Code Execution
------------------------------------------------------------------------

SUMMARY

CNet <http://catchup.cnet.com/> CatchUp is a generic file scanner
application aimed at detecting old versions of installed applications, and
as a side-line, viruses, Trojans and spy ware. It is controlled by .RVP
files that specify what filenames to look for, checksums, and so on. RVP
files execute immediately on being encountered, unless the user sets the
option to wait before beginning a scan. There is no authentication
mechanism - anyone can make his or her own .RVP file to scan the local
machine.

The results are presented in a report HTML page, a template of which is
included in the RVP file. The page is saved under a filename included in
the RVP file. (Only the leaf name is used - the report is always saved in
a user-specified directory.) When CatchUp has finished scanning, it opens
the report file by passing a DDE message to any web browsers open.

DETAILS

Vulnerable systems:
CNet CatchUp version 1.3.0 and prior

Immune systems:
CNet CatchUp version 1.3.1

The main problem is that the filename need not end in '.html'. It is
possible for an attacker to construct an RVP file that will create any
file, for example .BAT or .VBS, and deliver it to the user through the web
or e-mail. When the scan completes - or straight away, if the RVP
specifies no scanning commands - the malicious file will be opened. If a
DDE-compliant web browser window is open while the program is executed, it
should prompt the user to save or open the file as usual. If, however, no
browser is open, Windows will execute the file without further
confirmation, allowing the attack to run arbitrary code.

Vendor response:
CNet has released version 1.3.1 of CatchUp to fix this bug. Users of
previous versions are advised to download the new version from
<http://catchup.cnet.com/> http://catchup.cnet.com/ .

Issue:
Creating an HTML file in the local file system has well-known security
risks. The 'My Computer' zone generally has security set at a much more
relaxed level than the 'Internet' zone. Active scripting will also execute
in the security context of the local file system, allowing
browser-parseable files to be read and sent to an attacker through an
iframes-and-innerHTML hack.

Vendor response:
Avoiding saving reports in HTML to local storage would require a
significant change in CatchUp's architecture. This will be addressed in
the next major revision of the software, but there is no fix for now.

Workaround:
Ensure that CatchUp is only allowed to run from trusted sites. Either turn
on the 'ask for confirmation before scanning' option, or, if you aren't
able to open the options dialogue box to do so without crashing Windows,
go to Folder Options -> File Types -> CatchUp Configuration File (RVP) ->
Edit and turn on 'Confirm open after download'.

ADDITIONAL INFORMATION

The information has been provided by <mailto:and@doxdesk.com> Andrew
Clover.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Enabling telnet, ftp, pop3 for root...
    ... MASIVE security improvement over just having an open port sitting there. ... only OPENS THE PORT! ... While I could be wrong on that, it's the most likely scenerio with three possible levels of security: low, if you're only using a password, mediocre if you're using a key protected by a password, and relatively high if you're using a key that you are protecting with a complex passphrase and swapping out routinely. ... Point being, when there are already such networks on the Internet -- and not just in the United States -- with a wide range of ISPs, it's not at all outside the realm of possibility that somebody has a box that is listening to all the traffic on your node and analyzing it. ...
    (alt.os.linux)
  • Re: machine level security
    ... Access' security, which applies at the database engine level, can deal ... In other words, if somebody opens ... >> remove uppercase letters for true email ...
    (microsoft.public.access.security)
  • Re: Default User Serurity Permission
    ... and then the [File Security] section. ... and once a new MMC console opens, ... > profiles, I just changed them. ... >>Restore XP to installation Security Defaults ...
    (microsoft.public.windowsxp.security_admin)
  • Re: machine level security
    ... Ripper T Smith ... In other words, if somebody opens ... >>>>I have user level security in place and working nicely. ... >>> http://www.geocities.com/jacksonmacd/ for info on MS Access security ...
    (microsoft.public.access.security)
  • Re: Finally, a secure computer
    ... > security at the IBM website is compromised, ... Therefore it is extremely unlikely that any hacker ... > a tiny system served by IIS or the PWS protect himself with the same ... > ICF which does not listen on ports but only opens to responses to messages ...
    (microsoft.public.inetserver.iis.security)