RealNetworks RealGames StubbyUtil.ProcessMgr.1 – ActiveX Control Multiple Remote Command Executions - 体验盒子

作者： rgod
日期： 2011-04-03
类别：
remote
平台：
windows
来源：https://www.exploit-db.com/exploits/17105/
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control 
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution 
Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

CreateVistaTaskLow()-> allows to launch arbitrary commands
Exec()-> allows to launch arbitrary commands
ExecLow() -> allows to launch arbitrary commands
ShellExec() -> allows to launch arbitrary executables

other attacks are possible , 
see typelib:

class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
	/* DISPID=1610612736 */
	function QueryInterface(
		/* VT_PTR [26] [in] --> ? [29]*/ &$riid,
		/* VT_PTR [26] [out] --> VT_PTR [26]*/ &$ppvObj 
		)
	{
	}
	/* DISPID=1610612737 */
	/* VT_UI4 [19] */
	function AddRef(
		)
	{
	}
	/* DISPID=1610612738 */
	/* VT_UI4 [19] */
	function Release(
		)
	{
	}
	/* DISPID=1610678272 */
	function GetTypeInfoCount(
		/* VT_PTR [26] [out] --> VT_UINT [23]*/ &$pctinfo 
		)
	{
	}
	/* DISPID=1610678273 */
	function GetTypeInfo(
		/* VT_UINT [23] [in] */ $itinfo,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_PTR [26]*/ &$pptinfo 
		)
	{
	}
	/* DISPID=1610678274 */
	function GetIDsOfNames(
		/* VT_PTR [26] [in] --> ? [29]*/ &$riid,
		/* VT_PTR [26] [in] --> VT_PTR [26]*/ &$rgszNames,
		/* VT_UINT [23] [in] */ $cNames,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_I4 [3]*/ &$rgdispid 
		)
	{
	}
	/* DISPID=1610678275 */
	function Invoke(
		/* VT_I4 [3] [in] */ $dispidMember,
		/* VT_PTR [26] [in] --> ? [29]*/ &$riid,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_UI2 [18] [in] */ $wFlags,
		/* VT_PTR [26] [in] --> ? [29]*/ &$pdispparams,
		/* VT_PTR [26] [out] --> VT_VARIANT [12]*/ &$pvarResult,
		/* VT_PTR [26] [out] --> ? [29]*/ &$pexcepinfo,
		/* VT_PTR [26] [out] --> VT_UINT [23]*/ &$puArgErr 
		)
	{
	}
	/* DISPID=1 */
	/* VT_BOOL [11] */
	function Exec(
		/* VT_PTR [26] [in] --> VT_BSTR [8]*/ &$mod,
		/* VT_PTR [26] [in] --> VT_BSTR [8]*/ &$cmdline,
		/* VT_BOOL [11] [in] */ $__MIDL_0097,
		/* VT_BOOL [11] [in] */ $__MIDL_0098,
		/* VT_PTR [26] [in] --> VT_BSTR [8]*/ &$__MIDL_0099 
		)
	{
		/* method Exec */
	}
	/* DISPID=2 */
	/* VT_BOOL [11] */
	function IsFinished(
		)
	{
	}
	/* DISPID=3 */
	/* VT_UI4 [19] */
	function CreateNamedMutex(
		/* VT_BSTR [8] [in] */ $__MIDL_0102 
		)
	{
	}
	/* DISPID=4 */
	function ReleaseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0104 
		)
	{
	}
	/* DISPID=5 */
	function CloseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0105 
		)
	{
	}
	/* DISPID=6 */
	/* VT_BOOL [11] */
	function ObtainMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0106 
		)
	{
	}
	/* DISPID=7 */
	/* VT_BOOL [11] */
	function WaitOnMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0108,
		/* VT_INT [22] [in] */ $__MIDL_0109 
		)
	{
	}
	/* DISPID=8 */
	function CloseEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0111 
		)
	{
	}
	/* DISPID=9 */
	function FireEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0112 
		)
	{
	}
	/* DISPID=10 */
	/* VT_UI4 [19] */
	function CreateNamedEvent(
		/* VT_BSTR [8] [in] */ $__MIDL_0113 
		)
	{
	}
	/* DISPID=11 */
	/* VT_UI4 [19] */
	function ExitCode(
		)
	{
	}
	/* DISPID=12 */
	function CreateVistaTaskLow(
		/* VT_BSTR [8] [in] */ $bstrExecutablePath,
		/* VT_BSTR [8] [in] */ $bstrArguments,
		/* VT_BSTR [8] [in] */ $workDir 
		)
	{
	}
	/* DISPID=13 */
	/* VT_BOOL [11] */
	function ExecLow(
		/* VT_BSTR [8] [in] */ $__MIDL_0116,
		/* VT_BSTR [8] [in] */ $cmdline,
		/* VT_PTR [26] [in] --> VT_BSTR [8]*/ &$workDir 
		)
	{
	}
	/* DISPID=14 */
	function ShellExec(
		/* VT_BSTR [8] [in] */ $__MIDL_0117 
		)
	{
	}
	/* DISPID=15 */
	function Sleep(
		/* VT_UI4 [19] [in] */ $__MIDL_0118 
		)
	{
	}
}


binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp:Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize:00064000
File version: 2.6.0.445
Product version:2.6.0.445
File flags: 0 (Mask 3F)
File OS:4 Unknown Win32
File type:2.0 Dll
File date:00000000.00000000
Translations: 0409.04b0
ProductName:InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion:2.6.0.445
FileDescription:InstallerDlg Module
LegalCopyright: Copyright 2010

poc: 
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-2.zip (9sg_StubbyUtil.ProcessMgr.1.zip)