RealNetworks RealGames StubbyUtil.ProcessMgr.1 - ActiveX Control Multiple Remote Command Executions

🗓️ 03 Apr 2011 00:00:00Reported by rgodType
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control Multiple Remote Command Executions vulnerabilit
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control 
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution 
Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

CreateVistaTaskLow()      -> allows to launch arbitrary commands
Exec()                    -> allows to launch arbitrary commands
ExecLow()                 -> allows to launch arbitrary commands
ShellExec()               -> allows to launch arbitrary executables

other attacks are possible , 
see typelib:

class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
	/* DISPID=1610612736 */
	function QueryInterface(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$ppvObj 
		)
	{
	}
	/* DISPID=1610612737 */
	/* VT_UI4 [19] */
	function AddRef(
		)
	{
	}
	/* DISPID=1610612738 */
	/* VT_UI4 [19] */
	function Release(
		)
	{
	}
	/* DISPID=1610678272 */
	function GetTypeInfoCount(
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$pctinfo 
		)
	{
	}
	/* DISPID=1610678273 */
	function GetTypeInfo(
		/* VT_UINT [23] [in] */ $itinfo,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$pptinfo 
		)
	{
	}
	/* DISPID=1610678274 */
	function GetIDsOfNames(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [in] --> VT_PTR [26]  */ &$rgszNames,
		/* VT_UINT [23] [in] */ $cNames,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_I4 [3]  */ &$rgdispid 
		)
	{
	}
	/* DISPID=1610678275 */
	function Invoke(
		/* VT_I4 [3] [in] */ $dispidMember,
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_UI2 [18] [in] */ $wFlags,
		/* VT_PTR [26] [in] --> ? [29]  */ &$pdispparams,
		/* VT_PTR [26] [out] --> VT_VARIANT [12]  */ &$pvarResult,
		/* VT_PTR [26] [out] --> ? [29]  */ &$pexcepinfo,
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$puArgErr 
		)
	{
	}
	/* DISPID=1 */
	/* VT_BOOL [11] */
	function Exec(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$mod,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$cmdline,
		/* VT_BOOL [11] [in] */ $__MIDL_0097,
		/* VT_BOOL [11] [in] */ $__MIDL_0098,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0099 
		)
	{
		/* method Exec */
	}
	/* DISPID=2 */
	/* VT_BOOL [11] */
	function IsFinished(
		)
	{
	}
	/* DISPID=3 */
	/* VT_UI4 [19] */
	function CreateNamedMutex(
		/* VT_BSTR [8] [in] */ $__MIDL_0102 
		)
	{
	}
	/* DISPID=4 */
	function ReleaseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0104 
		)
	{
	}
	/* DISPID=5 */
	function CloseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0105 
		)
	{
	}
	/* DISPID=6 */
	/* VT_BOOL [11] */
	function ObtainMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0106 
		)
	{
	}
	/* DISPID=7 */
	/* VT_BOOL [11] */
	function WaitOnMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0108,
		/* VT_INT [22] [in] */ $__MIDL_0109 
		)
	{
	}
	/* DISPID=8 */
	function CloseEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0111 
		)
	{
	}
	/* DISPID=9 */
	function FireEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0112 
		)
	{
	}
	/* DISPID=10 */
	/* VT_UI4 [19] */
	function CreateNamedEvent(
		/* VT_BSTR [8] [in] */ $__MIDL_0113 
		)
	{
	}
	/* DISPID=11 */
	/* VT_UI4 [19] */
	function ExitCode(
		)
	{
	}
	/* DISPID=12 */
	function CreateVistaTaskLow(
		/* VT_BSTR [8] [in] */ $bstrExecutablePath,
		/* VT_BSTR [8] [in] */ $bstrArguments,
		/* VT_BSTR [8] [in] */ $workDir 
		)
	{
	}
	/* DISPID=13 */
	/* VT_BOOL [11] */
	function ExecLow(
		/* VT_BSTR [8] [in] */ $__MIDL_0116,
		/* VT_BSTR [8] [in] */ $cmdline,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$workDir 
		)
	{
	}
	/* DISPID=14 */
	function ShellExec(
		/* VT_BSTR [8] [in] */ $__MIDL_0117 
		)
	{
	}
	/* DISPID=15 */
	function Sleep(
		/* VT_UI4 [19] [in] */ $__MIDL_0118 
		)
	{
	}
}


binary info:
>lm -vm
    Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
    Image name: InstallerDlg.dll
    Timestamp:        Mon Mar 14 14:22:44 2011 (4D7E6B04)
    CheckSum:         00000000
    ImageSize:        00064000
    File version:     2.6.0.445
    Product version:  2.6.0.445
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    ProductName:      InstallerDlg Module
    InternalName:     InstallerDlg
    OriginalFilename: InstallerDlg.dll
    ProductVersion:   2.6.0.445
    FileVersion:      2.6.0.445
    FileDescription:  InstallerDlg Module
    LegalCopyright:   Copyright 2010

poc: 
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html
                      https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-2.zip (9sg_StubbyUtil.ProcessMgr.1.zip)
03 Apr 2011 00:00Current
7.4High risk
Vulners AI Score7.4