Vulners
Lucene search
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control Multiple Remote Command Execution
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
ShellExec() -> allows to launch arbitrary commands
ShellExecRunAs() -> allows to launch arbitrary commands
CreateShortcut() -> allows to create arbitrary executable files inside the automatic
startup folders
CopyDocument() -> allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup folders
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_PTR [26] */ &$pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_PTR [26] [in] --> VT_PTR [26] */ &$rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] --> VT_I4 [3] */ &$rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] --> ? [29] */ &$riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] --> ? [29] */ &$pdispparams,
/* VT_PTR [26] [out] --> VT_VARIANT [12] */ &$pvarResult,
/* VT_PTR [26] [out] --> ? [29] */ &$pexcepinfo,
/* VT_PTR [26] [out] --> VT_UINT [23] */ &$puArgErr
)
{
}
/* DISPID=1 */
function CreateShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$target,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$icon,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$workingDir,
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$args
)
{
/* method CreateShortcut */
}
/* DISPID=2 */
function DeleteShortcut(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$name
)
{
/* method DeleteShortcut */
}
/* DISPID=3 */
/* VT_BSTR [8] */
function ModuleFileName(
)
{
/* method ModuleFileName */
}
/* DISPID=4 */
/* VT_BSTR [8] */
function GetSpecialFolder(
/* VT_UI4 [19] [in] */ $__MIDL_0025
)
{
/* method GetSpecialFolder */
}
/* DISPID=5 */
/* VT_BOOL [11] */
function CheckWnd(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0026
)
{
/* method CheckWnd */
}
/* DISPID=6 */
/* VT_BSTR [8] */
function ExistingTPS(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0028
)
{
/* method ExistingTPS */
}
/* DISPID=7 */
function SetWorkingDir(
/* VT_PTR [26] [in] --> VT_BSTR [8] */ &$__MIDL_0030
)
{
/* method SetWorkingDir */
}
/* DISPID=8 */
/* VT_BSTR [8] */
function GetWorkingDir(
)
{
/* method GetWorkingDir */
}
/* DISPID=9 */
/* VT_R8 [5] */
function OSVersion(
)
{
/* method OSVersion */
}
/* DISPID=10 */
/* VT_BSTR [8] */
function GetSystemID(
)
{
/* method GetSystemID */
}
/* DISPID=11 */
function InstallFromCD(
/* VT_BSTR [8] [in] */ $GameID,
/* VT_BSTR [8] [in] */ $GameName,
/* VT_BSTR [8] [in] */ $Tps,
/* VT_BSTR [8] [in] */ $GameLang,
/* VT_BSTR [8] [in] */ $CDPath,
/* VT_BSTR [8] [in] */ $StoreFront
)
{
/* method InstallFromCD */
}
/* DISPID=12 */
/* VT_UI4 [19] */
function KillProcess(
/* VT_BSTR [8] [in] */ $__MIDL_0033
)
{
/* method KillProcess */
}
/* DISPID=13 */
function RefreshAddRemovePrograms(
)
{
/* method RefreshAddRemovePrograms */
}
/* DISPID=14 */
function ShellExec(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExec */
}
/* DISPID=15 */
function ShellExecRunAs(
/* VT_BSTR [8] [in] */ $FilePath,
/* VT_BSTR [8] [in] */ $Params
)
{
/* method ShellExecRunAs */
}
/* DISPID=16 */
/* VT_BSTR [8] */
function PlatformInfo(
)
{
/* method PlatformInfo */
}
/* DISPID=17 */
/* VT_BSTR [8] */
function GetAvailableDrive(
/* VT_INT [22] [in] */ $reqSpace
)
{
/* method GetAvailableDrive */
}
/* DISPID=18 */
/* VT_BOOL [11] */
function InitializeStamp(
/* VT_BSTR [8] [in] */ $exeName,
/* VT_INT [22] [in] */ $offset
)
{
/* method InitializeStamp */
}
/* DISPID=19 */
/* VT_BSTR [8] */
function GetContentID(
)
{
/* method GetContentID */
}
/* DISPID=20 */
/* VT_BSTR [8] */
function GetTrackingID(
)
{
/* method GetTrackingID */
}
/* DISPID=21 */
/* VT_BSTR [8] */
function GetAffiliate(
)
{
/* method GetAffiliate */
}
/* DISPID=22 */
/* VT_BSTR [8] */
function GetCurrency(
)
{
/* method GetCurrency */
}
/* DISPID=23 */
/* VT_BSTR [8] */
function GetPrice(
)
{
/* method GetPrice */
}
/* DISPID=24 */
/* VT_BSTR [8] */
function GetTimestamp(
)
{
/* method GetTimestamp */
}
/* DISPID=25 */
/* VT_BSTR [8] */
function GetOTP(
)
{
/* method GetOTP */
}
/* DISPID=26 */
/* VT_BOOL [11] */
function CopyDocument(
/* VT_BSTR [8] [in] */ $src,
/* VT_BSTR [8] [in] */ $dest
)
{
/* method CopyDocument */
}
/* DISPID=27 */
function InstallerToForeground(
)
{
/* method InstallerToForeground */
}
/* DISPID=28 */
function MonitorLicenseFolder(
)
{
/* method MonitorLicenseFolder */
}
/* DISPID=29 */
function ShutdownLicenseFolderMonitor(
)
{
/* method ShutdownLicenseFolderMonitor */
}
/* DISPID=30 */
/* VT_BSTR [8] */
function GetFolderPath(
/* VT_UI4 [19] [in] */ $__MIDL_0037
)
{
/* method GetFolderPath */
}
}
binary info:
>lm -vm
Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Image name: InstallerDlg.dll
Timestamp: Mon Mar 14 14:22:44 2011 (4D7E6B04)
CheckSum: 00000000
ImageSize: 00064000
File version: 2.6.0.445
Product version: 2.6.0.445
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
ProductName: InstallerDlg Module
InternalName: InstallerDlg
OriginalFilename: InstallerDlg.dll
ProductVersion: 2.6.0.445
FileVersion: 2.6.0.445
FileDescription: InstallerDlg Module
LegalCopyright: Copyright 2010
POC:
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_i.html
http://www.exploit-db.com/sploits/9sg_StubbyUtil.ShellCtl.1.zip
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1