Hyperdose Security Advisory

Name: Arbitrary file overwrite in Musicmatch 
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Severity: Important
Author: Robert Fly - robfly@hyperdose.com 
Advisory URL: http://www.hyperdose.com/advisories/H2005-03.txt

--MusicMatch Description--
>From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience."  In September 04 Musicmatch was purchased by Yahoo! Inc.

--Bug Details--
V1.0.0.38 of DiagCollectionControl.dll is an ActiveX control which contains
a Safe for Scripting Interface with a method called StartDiagCollection with
the following definition:
Dispatch Function BOOL StartDiagCollection(BSTR  bstrSavePath, BSTR
bstrUserEnteredInfo, BSTR  bstrXMLControlFile, USERDEFINED  eRequestType,
BOOL  bUploadInfo, BOOL  bEncryptZipFile ,PTR  numJobs )

In this particular vulnerability, an attacker can pass in a malicious value
into bstrSavePath (eg: c:\\boot.ini).  Once that method is called, whichever
file is specified will get overwritten.  A non-malicious example is at the
URL below:

http://www.hyperdose.com/exploits/musicmatchFileOverwriteExploit.html 

If you have the vulnerable ActiveX control, a file, foo.txt will be created
in the c:\exploit directory.  Obviously, much worse can be done as there is
no restrictions to what files can be overwritten assuming the user has
access to them.  It may be possible to control the data that goes into the
file as well, although I have not yet identified a method for doing this.

With the fix Musicmatch has implemented, DiagCollectionControl.dll no longer
contains any Safe for Scripting or Safe for Initilization interfaces.
Attempting to run the exploit above will no longer work.

--Fix Information--
As of 3/21/05 Yahoo has released a new versions (9 & 10) which fix this
vulnerability.  I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
http://www.musicmatch.com/download/free/security.htm
Security FAQ available here:
http://www.musicmatch.com/info/user_guide/faq/security_updates.htm

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com