Hyperdose Security Advisory Name: Arbitrary file overwrite in Musicmatch Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo v9.00.5059 and earlier are also affected) Severity: Important Author: Robert Fly - robfly@hyperdose.com Advisory URL: http://www.hyperdose.com/advisories/H2005-03.txt --MusicMatch Description-- >From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find and organize your music, giving you ultimate control of your music experience." In September 04 Musicmatch was purchased by Yahoo! Inc. --Bug Details-- V1.0.0.38 of DiagCollectionControl.dll is an ActiveX control which contains a Safe for Scripting Interface with a method called StartDiagCollection with the following definition: Dispatch Function BOOL StartDiagCollection(BSTR bstrSavePath, BSTR bstrUserEnteredInfo, BSTR bstrXMLControlFile, USERDEFINED eRequestType, BOOL bUploadInfo, BOOL bEncryptZipFile ,PTR numJobs ) In this particular vulnerability, an attacker can pass in a malicious value into bstrSavePath (eg: c:\\boot.ini). Once that method is called, whichever file is specified will get overwritten. A non-malicious example is at the URL below: http://www.hyperdose.com/exploits/musicmatchFileOverwriteExploit.html If you have the vulnerable ActiveX control, a file, foo.txt will be created in the c:\exploit directory. Obviously, much worse can be done as there is no restrictions to what files can be overwritten assuming the user has access to them. It may be possible to control the data that goes into the file as well, although I have not yet identified a method for doing this. With the fix Musicmatch has implemented, DiagCollectionControl.dll no longer contains any Safe for Scripting or Safe for Initilization interfaces. Attempting to run the exploit above will no longer work. --Fix Information-- As of 3/21/05 Yahoo has released a new versions (9 & 10) which fix this vulnerability. I have witheld vulnerability details until now so that MusicMatch automatic updates had a chance to propogate. Downloads available here: http://www.musicmatch.com/download/free/security.htm Security FAQ available here: http://www.musicmatch.com/info/user_guide/faq/security_updates.htm --About Hyperdose-- Hyperdose Security was founded to provide companies with application security knowledge through all parts of an application's security development lifecycle. We specialize in all phases of software development ranging from security design and architectural reviews, security code reviews and penetration testing. web www.hyperdose.com email robfly@hyperdose.com