Baidu Soba Remote Code Execute Vulnerability(FGA-2007-10)

hi full-disclosure,

Baidu Soba Remote Code Execute Vulnerability

by cocoruder of Fortinet Security Research Team http://ruder.cdut.net

Summary:

    Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese web search engine company, like Google, more informations can be found at:

    http://www.baidu.com
    http://bar.baidu.com/sobar/promotion.html

    There exists a remote code execute vulnerability in Baidu Soba's ActiveX Control "BaiduBar.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.

Affected Software Versions:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)

Details:         

    This vulnerability exist in the function "DloadDS()" educed by "BaiduBar.dll", following are some related imformations:

    InprocServer32:	C:\Program Files\baidu\bar\BaiduBar.dll
    ClassID	  : 	A7F05EE4-0426-454F-8013-C41E3596E9E9

    [id(0x0000001d), helpstring("method DloadDS")]     void DloadDS(

                [in] BSTR bstrUrl, 
                [in] BSTR bstrName, 
                [in] long lShow);

    When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:

.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ; lpStartupInfo
.text:1006F412 push esi ; lpCurrentDirectory
.text:1006F413 push esi ; lpEnvironment
.text:1006F414 push esi ; dwCreationFlags
.text:1006F415 push esi ; bInheritHandles
.text:1006F416 push esi ; lpThreadAttributes
.text:1006F417 push esi ; lpProcessAttributes
.text:1006F418 push esi
.text:1006F419 call sub_10004147 ; get the CommandLine
.text:1006F419
.text:1006F41E push eax ; lpCommandLine
.text:1006F41F push esi ; lpApplicationName
.text:1006F420 call ds:CreateProcessA

    As we seen, lpCommandLine point to "C:\DOCUME~1\administrator\LOCALS~1\Temp\calc.exe"£¬Because there is no valid checks, the attacker can build a CAB file which included a trojan or spy program and use the function "DloadDS()" for executing it.

Attached File:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    Exploit can be found at the following url, please do not use for attacking.     

    http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html

Solution:

    Baidu said they have fixed this fault, but infact, the product downloaded from "http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly suggest user set a Killbit for this CLSID.

Disclosure Timeline:

    2007.07.19		Vendor notified via email 
    2007.07.19		Vendor responded
    2007.07.23		Vendor noticed me new version is available and they refuse to release an advisory for this vul
    2007.07.24		Vendor say they have not updated the product successfully
    2007.08.01		Vendor noticed me again that new version is available
    2007.08.02		But it looks like they are failed too
    2007.08.02		Advisory released

Disclaimer:

    Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

Fortinet Security Research
secresearch@fortinet.com
http://www.fortinet.com         

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Best Regards,                                  

¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡cocoruder of Fortinet Security Research Team
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli@fortinet.com
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2007-08-02

• Disclaimer: This message may contain privileged and/or confidential information. If you have received this e-mail in error or are not the intended recipient, you may not use, copy, disseminate or distribute it; do not open any attachments, delete it immediately from your system and notify the sender promptly by e-mail that you have done so. Thank you. ***