RealNetworks RealGames ActiveX Command Execution (May 27, 2011)
RealNetworks operates a digital games service that includes downloadable and online games and subscription services. RealNetworks RealGames provides games for PC, mobile and social networks. RealGames owns multiple gaming brands such as RealArcade, Zylom, Gamehouse, among others. My Farm Life is one of the games that RealGames Gamehouse provides. During installation or My Farm Life, an ActiveX control, StubbyUtil, is installed and registered safe for scripting. The associated ClassID for this control is “5818813ed53d-47a5-abbb-37e2a07056b5”.
The control can be instantiated via a web page as in the following example:
The object exposes several methods such as CreateVistaTaskLow, Exec, ExecLow and ShellExec. The methods’ prototypes are shown:
void CreateVistaTaskLow(BSTR ExecutablePath, BSTR Arguments, SystemString workDir) Boolean Exec(SystemString mod, SystemString cmdline, System boolan _MID_0098,System boolan _MID_0099 ) Boolean ExecLow(SystemString _MIDL_0117, SystemString cmdline, SystemString workDir) void ShellExec(SystemString _MIDL_0118)
A command injection vulnerability exists in the StubbyUtil ActiveX control included within the My Farm Life application. The vulnerability is due to a design flaw in this control which allows scripting of several privileged methods. These methods are intended to be accessible only to authenticated users with sufficient privileges, but no access controls or restrictions are implemented in the ActiveX control. A remote attacker can inject and execute arbitrary Windows shell commands and binary executables on the client machine by passing the executable commands as arguments to the affected methods.
Remote unauthenticated attackers can exploit this vulnerability by enticing target users to open a specially crafted web page.
Successful exploitation of this flaw allows arbitrary command injection and execution with the privileges of the currently logged in user.
SonicWall has released several IPS signatures to address this threat. The following signatures have been released:
- 6640 – RealNetworks RealGames ActiveX ShellExec Method Invocation
- 6641 – Suspicious JavaScript Code 1
- 6642 – Suspicious JavaScript Code 2
In addition to the signatures released to specifically address this vulnerability, SonicWall has existing generic IPS signatures that detect and block suspicious shellcode that is often used to exploit flaws such as this one.