ExploitFixes
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control Multiple Remote Command Execution 2011-04-03 16:15:22

RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

ShellExec() -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders

other attacks are possible including information disclosure and file deletion,
see typelib:

class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] --> ? [29] */ &$pdispparams,
/* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult,
/* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo,
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr
)
{
}
/* DISPID=1 */
function CreateShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$target,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$icon,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workingDir,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$args
)
{
/* method CreateShortcut */
}
/* DISPID=2 */
function DeleteShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name
)
{
/* method DeleteShortcut */
}
/* DISPID=3 */
/* VT_BSTR [8] */
function ModuleFileName(
)
{
/* method ModuleFileName */
}
/* DISPID=4 */
/* VT_BSTR [8] */
function GetSpecialFolder(
/* VT_UI4 [19] [in] */ $__MIDL_0025
)
{
/* method GetSpecialFolder */
}
/* DISPID=5 */
/* VT_BOOL [11] */
function CheckWnd(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0026
)
{
/* method CheckWnd */
}
/* DISPID=6 */
/* VT_BSTR [8] */
function ExistingTPS(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0028
)
{
/* method ExistingTPS */
}
/* DISPID=7 */
function SetWorkingDir(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0030
)
{
/* method SetWorkingDir */
}
/* DISPID=8 */
/* VT_BSTR [8] */
function GetWorkingDir(
)
{
/* method GetWorkingDir */
}
/* DISPID=9 */
/* VT_R8 [5] */
function OSVersion(
)
{
/* method OSVersion */
}
/* DISPID=10 */
/* VT_BSTR [8] */
function GetSystemID(
)
{
/* method GetSystemID */
}
/* DISPID=11 */
function InstallFromCD(
/* VT_BSTR [8] [in] */ $GameID,
/* VT_BSTR [8] [in] */ $GameName,
/* VT_BSTR [8] [in] */ $Tps,
/* VT_BSTR [8] [in] */ $GameLang,
/* VT_BSTR [8] [in] */ $CDPath,
/* VT_BSTR [8] [in] */ $StoreFront
)
{
/* method InstallFromCD */
}
/* DISPID=12 */
/* VT_UI4 [19] */
function KillProcess(
/* VT_BSTR [8] [in] */ $__MIDL_0033
)
{
/* method KillProcess */
}
/* DISPID=13 */
function RefreshAddRemovePrograms(
)
{
/* method RefreshAddRemovePrograms */
}
/* DISPID=14 */
function ShellExec(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExec */
}
/* DISPID=15 */
function ShellExecRunAs(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExecRunAs */
}
/* DISPID=16 */
/* VT_BSTR [8] */
function PlatformInfo(
)
{
/* method PlatformInfo */
}
/* DISPID=17 */
/* VT_BSTR [8] */
function GetAvailableDrive(
/* VT_INT [22] [in] */ $reqSpace
)
{
/* method GetAvailableDrive */
}
/* DISPID=18 */
/* VT_BOOL [11] */
function InitializeStamp(
/* VT_BSTR [8] [in] */ $exeName,
/* VT_INT [22] [in] */ $offset
)
{
/* method InitializeStamp */
}
/* DISPID=19 */
/* VT_BSTR [8] */
function GetContentID(
)
{
/* method GetContentID */
}
/* DISPID=20 */
/* VT_BSTR [8] */
function GetTrackingID(
)
{
/* method GetTrackingID */
}
/* DISPID=21 */
/* VT_BSTR [8] */
function GetAffiliate(
)
{
/* method GetAffiliate */
}
/* DISPID=22 */
/* VT_BSTR [8] */
function GetCurrency(
)
{
/* method GetCurrency */
}
/* DISPID=23 */
/* VT_BSTR [8] */
function GetPrice(
)
{
/* method GetPrice */
}
/* DISPID=24 */
/* VT_BSTR [8] */
function GetTimestamp(
)
{
/* method GetTimestamp */
}
/* DISPID=25 */
/* VT_BSTR [8] */
function GetOTP(
)
{
/* method GetOTP */
}
/* DISPID=26 */
/* VT_BOOL [11] */
function CopyDocument(
/* VT_BSTR [8] [in] */ $src,
/* VT_BSTR [8] [in] */ $dest
)
{
/* method CopyDocument */
}
/* DISPID=27 */
function InstallerToForeground(
)
{
/* method InstallerToForeground */
}
/* DISPID=28 */
function MonitorLicenseFolder(
)
{
/* method MonitorLicenseFolder */
}
/* DISPID=29 */
function ShutdownLicenseFolderMonitor(
)
{
/* method ShutdownLicenseFolderMonitor */
}
/* DISPID=30 */
/* VT_BSTR [8] */
function GetFolderPath(
/* VT_UI4 [19] [in] */ $__MIDL_0037
)
{
/* method GetFolderPath */
}
}

binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010

POC:

pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html
http://www.exploit-db.com/sploits/9sg_StubbyUtil.ShellCtl.1.zip