CNet CatchUp arbitrary code execution

2002-02-24T00:00:00
ID SECURITYVULNS:DOC:2539
Type securityvulns
Reporter Securityvulns
Modified 2002-02-24T00:00:00

Description

Affected: Catchup 1.3 Vendor: CNET <http://catchup.cnet.com/> Risk: medium

Background:

CNet CatchUp is a generic file scanner application aimed at detecting old versions of installed applications, and as a side-line, viruses, trojans and spyware. It is controlled by .RVP files which specify what filenames to look for, checksums, and so on. RVP files execute immediately on being encountered, unless the user sets the option to wait before beginning a scan. There is no authentication mechanism - anyone can make their own .RVP file to scan the local machine.

The results are presented in a report HTML page, a template of which is included in the RVP file. The page is saved under a filename included in the RVP file. (Only the leafname is used - the report is always saved in a user-specified directory.) When CatchUp has finished scanning, it opens the report file by passing a DDE message to any web browsers open.

Issue:

The main problem is that the filename need not end in '.html'. It is possible for an attacker to craft an RVP file which will create any file, for example .BAT or .VBS, and deliver it to the user through the web or e-mail. When the scan completes - or straight away, if the RVP specifies no scanning commands - the malicious file will be opened. If a DDE-compliant web browser window is open at the moment it should prompt the user to save or open the file as usual. If, however, no browser is open, Windows will execute the file without further confirmation, allowing the attack to run arbitrary code.

Vendor response:

CNet has released version 1.3.1 of CatchUp to fix this bug. Users of previous versions are advised to download the new version from http://catchup.cnet.com/ .

Issue:

Creating an HTML file in the local filesystem has well-known security risks. The 'My Computer' zone generally has security set at a much more relaxed level than the 'Internet' zone. Active scripting will also execute in the security context of the local filesystem, allowing eg. browser-parsable files to be read and sent to an attacker through an iframes-and- innerHTML hack.

Vendor response:

Avoiding saving reports in HTML to local storage would require a significant change in CatchUp's architecture. This will be addressed in the next major revision of the software, but there is no fix for now.

Workaround:

Ensure that CatchUp is only allowed to run from trusted sites. Either turn on the 'ask for confirmation before scanning' option, or, if like me you aren't able to open the options dialogue box to do so without crashing Windows, go to Folder Options -> File Types -> CatchUp Configation File (RVP) -> Edit and turn on 'Confirm open after download'.

-- Andrew Clover mailto:and@doxdesk.com http://and.doxdesk.com/