Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control Multiple Remote Commands Execution Vulnerabilities - exploit.company
header-logo
Suggest Exploit
vendor:
RealGames
by:
7.5
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: RealGames
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:realnetworks:realgames
Metasploit:
Other Scripts:
Platforms Tested: Internet Explorer 9, Vista SP2

RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control Multiple Remote Commands Execution Vulnerabilities

The RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) is vulnerable to multiple remote command execution vulnerabilities. The control has four insecurely implemented methods: CreateVistaTaskLow(), Exec(), ExecLow(), and ShellExec(). These vulnerabilities can allow an attacker to launch arbitrary commands and execute arbitrary executables.

Mitigation:

To mitigate these vulnerabilities, it is recommended to disable the affected ActiveX control or remove it from the system. Additionally, users should exercise caution when downloading and running programs from untrusted sources.
Source

Exploit-DB raw data:

RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control 
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution 
Vulnerabilities

tested against Internet Explorer 9, Vista sp2

download url: http://www.gamehouse.com/

background:

When choosing to play with theese online games ex. the game called
"My Farm Life" (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called GameHouse-Installer_am-myfarmlife_gamehouse_.exe

This setup program installs an ActiveX with the following settings:

CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True

This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.

vulnerability:

This control has four methods implemented insecurely:

CreateVistaTaskLow()      -> allows to launch arbitrary commands
Exec()                    -> allows to launch arbitrary commands
ExecLow()                 -> allows to launch arbitrary commands
ShellExec()               -> allows to launch arbitrary executables

other attacks are possible , 
see typelib:

class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
	/* DISPID=1610612736 */
	function QueryInterface(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$ppvObj 
		)
	{
	}
	/* DISPID=1610612737 */
	/* VT_UI4 [19] */
	function AddRef(
		)
	{
	}
	/* DISPID=1610612738 */
	/* VT_UI4 [19] */
	function Release(
		)
	{
	}
	/* DISPID=1610678272 */
	function GetTypeInfoCount(
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$pctinfo 
		)
	{
	}
	/* DISPID=1610678273 */
	function GetTypeInfo(
		/* VT_UINT [23] [in] */ $itinfo,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_PTR [26]  */ &$pptinfo 
		)
	{
	}
	/* DISPID=1610678274 */
	function GetIDsOfNames(
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_PTR [26] [in] --> VT_PTR [26]  */ &$rgszNames,
		/* VT_UINT [23] [in] */ $cNames,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_PTR [26] [out] --> VT_I4 [3]  */ &$rgdispid 
		)
	{
	}
	/* DISPID=1610678275 */
	function Invoke(
		/* VT_I4 [3] [in] */ $dispidMember,
		/* VT_PTR [26] [in] --> ? [29]  */ &$riid,
		/* VT_UI4 [19] [in] */ $lcid,
		/* VT_UI2 [18] [in] */ $wFlags,
		/* VT_PTR [26] [in] --> ? [29]  */ &$pdispparams,
		/* VT_PTR [26] [out] --> VT_VARIANT [12]  */ &$pvarResult,
		/* VT_PTR [26] [out] --> ? [29]  */ &$pexcepinfo,
		/* VT_PTR [26] [out] --> VT_UINT [23]  */ &$puArgErr 
		)
	{
	}
	/* DISPID=1 */
	/* VT_BOOL [11] */
	function Exec(
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$mod,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$cmdline,
		/* VT_BOOL [11] [in] */ $__MIDL_0097,
		/* VT_BOOL [11] [in] */ $__MIDL_0098,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$__MIDL_0099 
		)
	{
		/* method Exec */
	}
	/* DISPID=2 */
	/* VT_BOOL [11] */
	function IsFinished(
		)
	{
	}
	/* DISPID=3 */
	/* VT_UI4 [19] */
	function CreateNamedMutex(
		/* VT_BSTR [8] [in] */ $__MIDL_0102 
		)
	{
	}
	/* DISPID=4 */
	function ReleaseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0104 
		)
	{
	}
	/* DISPID=5 */
	function CloseMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0105 
		)
	{
	}
	/* DISPID=6 */
	/* VT_BOOL [11] */
	function ObtainMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0106 
		)
	{
	}
	/* DISPID=7 */
	/* VT_BOOL [11] */
	function WaitOnMutex(
		/* VT_UI4 [19] [in] */ $__MIDL_0108,
		/* VT_INT [22] [in] */ $__MIDL_0109 
		)
	{
	}
	/* DISPID=8 */
	function CloseEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0111 
		)
	{
	}
	/* DISPID=9 */
	function FireEvent(
		/* VT_UI4 [19] [in] */ $__MIDL_0112 
		)
	{
	}
	/* DISPID=10 */
	/* VT_UI4 [19] */
	function CreateNamedEvent(
		/* VT_BSTR [8] [in] */ $__MIDL_0113 
		)
	{
	}
	/* DISPID=11 */
	/* VT_UI4 [19] */
	function ExitCode(
		)
	{
	}
	/* DISPID=12 */
	function CreateVistaTaskLow(
		/* VT_BSTR [8] [in] */ $bstrExecutablePath,
		/* VT_BSTR [8] [in] */ $bstrArguments,
		/* VT_BSTR [8] [in] */ $workDir 
		)
	{
	}
	/* DISPID=13 */
	/* VT_BOOL [11] */
	function ExecLow(
		/* VT_BSTR [8] [in] */ $__MIDL_0116,
		/* VT_BSTR [8] [in] */ $cmdline,
		/* VT_PTR [26] [in] --> VT_BSTR [8]  */ &$workDir 
		)
	{
	}
	/* DISPID=14 */
	function ShellExec(
		/* VT_BSTR [8] [in] */ $__MIDL_0117 
		)
	{
	}
	/* DISPID=15 */
	function Sleep(
		/* VT_UI4 [19] [in] */ $__MIDL_0118 
		)
	{
	}
}


binary info:
>lm -vm
    Image path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
    Image name: InstallerDlg.dll
    Timestamp:        Mon Mar 14 14:22:44 2011 (4D7E6B04)
    CheckSum:         00000000
    ImageSize:        00064000
    File version:     2.6.0.445
    Product version:  2.6.0.445
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    ProductName:      InstallerDlg Module
    InternalName:     InstallerDlg
    OriginalFilename: InstallerDlg.dll
    ProductVersion:   2.6.0.445
    FileVersion:      2.6.0.445
    FileDescription:  InstallerDlg Module
    LegalCopyright:   Copyright 2010

poc: 
pocs availiable here: http://retrogod.altervista.org/9sg_realgames_ii.html
                      https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35560-2.zip (9sg_StubbyUtil.ProcessMgr.1.zip)

Navigation

Suggest Exploit

Services By CQR