SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Musicmatch Jukebox Vendors:   Musicmatch
Musicmatch Jukebox Lets Local Users Gain Elevated Privileges and Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013718
SecurityTracker URL:  http://securitytracker.com/id/1013718
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 15 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 10.00.2047 and prior versions
Description:   Two vulnerabilities were reported in Musicmatch Jukebox. A local user can gain elevated privileges. A remote user can also conduct cross-site scripting attacks.

'MMFWLaunch.exe' does not properly quote path data before calling the CreateProcess() function. A local user exploit this flaw to cause the application to execute an alternate file on the target system with the privileges of the target user.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Musicmatch site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The installer adds '*.musicmatch.com' to the Internet Explorer Trusted Sites zone. As a result, the scripting code may run with higher privileges.

Robert Fly from Hyperdose Security reported this vulnerability.

The original advisories are available at:

http://www.hyperdose.com/advisories/H2005-04.txt
http://www.hyperdose.com/advisories/H2005-05.txt

Impact:   A local user can gain elevated privileges.

A remote user can also conduct cross-site scripting attacks.

Solution:   The vendor has released a fixed version, available at:

http://www.musicmatch.com/download/free/security.htm

Vendor URL:  www.musicmatch.com/info/user_guide/faq/security_updates.htm (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Trojan file issue in Musicmatch software


Hyperdose Security Advisory

Name: Arbitrary file overwrite in Musicmatch 
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Severity: Moderate
Author: Robert Fly - robfly@hyperdose.com 
Advisory URL: http://www.hyperdose.com/advisories/H2005-05.txt

--MusicMatch Description--
>From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience."  In September 04 Musicmatch was purchased by Yahoo! Inc.

--Bug Details--
CreateProcess has known issues with launching files.  For example, when
making a call like:
CreateProcess(NULL, "C:\Program Files\app\launch.exe", ...)

The API will first look for c:\program.exe, instead of what most would
expect (to open launch.exe).  To fix the path must be quoted.

More details can be found here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/ht
ml/appsec.asp

MMFWLaunch.exe versions earlier then 10.00.2047 contain this vulnerability.
To reproduce, create a file on your root drive called program.exe.  Then
launch MMFWLaunch.exe (located under c:\program files\musicmatch\Musicmatch
Jukebox\), on vulnerable versions you should see that program launched
several times instead of the actual MMFWLaunch.  Through normal means, you
can come across this by navigating to File->Create CD From Current Playlist
in the core Musicmatch UI.

Although not possible on WinXP, previous versions of Windows had looser ACLs
on the root drive.  Meaning an attacker using a shared computer could get
their victim to run their code instead of launching this Musicmatch file by
taking advantage of this vulnerability.

Musicmatch has now fixed this vulnerability by quoting the path passed into
the CreateProcessAPI.

--Fix Information--
As of 3/21/05 Yahoo has released a new version which fixes this
vulnerability.  I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
http://www.musicmatch.com/download/free/security.htm
Security FAQ available here:
http://www.musicmatch.com/info/user_guide/faq/security_updates.htm

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC