Arbitrary file overwrite possible by Musicmatch ActiveX control
Hyperdose Security Advisory
Name: Arbitrary file overwrite in Musicmatch
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Author: Robert Fly - robfly@xxxxxxxxxxxxx
Advisory URL: http://www.hyperdose.com/advisories/H2005-03.txt
>From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience." In September 04 Musicmatch was purchased by Yahoo! Inc.
V220.127.116.11 of DiagCollectionControl.dll is an ActiveX control which contains
a Safe for Scripting Interface with a method called StartDiagCollection with
the following definition:
Dispatch Function BOOL StartDiagCollection(BSTR bstrSavePath, BSTR
bstrUserEnteredInfo, BSTR bstrXMLControlFile, USERDEFINED eRequestType,
BOOL bUploadInfo, BOOL bEncryptZipFile ,PTR numJobs )
In this particular vulnerability, an attacker can pass in a malicious value
into bstrSavePath (eg: c:\\boot.ini). Once that method is called, whichever
file is specified will get overwritten. A non-malicious example is at the
If you have the vulnerable ActiveX control, a file, foo.txt will be created
in the c:\exploit directory. Obviously, much worse can be done as there is
no restrictions to what files can be overwritten assuming the user has
access to them. It may be possible to control the data that goes into the
file as well, although I have not yet identified a method for doing this.
With the fix Musicmatch has implemented, DiagCollectionControl.dll no longer
contains any Safe for Scripting or Safe for Initilization interfaces.
Attempting to run the exploit above will no longer work.
As of 3/21/05 Yahoo has released a new versions (9 & 10) which fix this
vulnerability. I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
Security FAQ available here:
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle. We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.