hi full-disclosure,

Baidu Soba Remote Code Execute Vulnerability

by cocoruder of Fortinet Security Research Team
http://ruder.cdut.net


Summary:

    Baidu Soba is a popular browser toolbar which developed by Baidu, a Chinese web search engine company, like Google, more informations can be found at:

    http://www.baidu.com
    http://bar.baidu.com/sobar/promotion.html

    There exists a remote code execute vulnerability in Baidu Soba's ActiveX Control "BaiduBar.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.


Affected Software Versions:

    Baidu Soba 5.4(Version of "BaiduBar.dll" is 2.0.2.144)



Details:
  
    This vulnerability exist in the function "DloadDS()" educed by "BaiduBar.dll", following are some related imformations:

    InprocServer32:  C:\Program Files\baidu\bar\BaiduBar.dll
    ClassID    :   A7F05EE4-0426-454F-8013-C41E3596E9E9

    [id(0x0000001d), helpstring("method DloadDS")]
    void DloadDS(
                [in] BSTR bstrUrl, 
                [in] BSTR bstrName, 
                [in] long lShow);

    When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:

  .text:1006F407                 lea     eax, [ebp-28h]
  .text:1006F40A                 lea     ecx, [ebp-10h]
  .text:1006F40D                 push    eax      ; lpProcessInformation
  .text:1006F40E                 lea     eax, [ebp-6Ch]
  .text:1006F411                 push    eax      ; lpStartupInfo
  .text:1006F412                 push    esi      ; lpCurrentDirectory
  .text:1006F413                 push    esi      ; lpEnvironment
  .text:1006F414                 push    esi      ; dwCreationFlags
  .text:1006F415                 push    esi      ; bInheritHandles
  .text:1006F416                 push    esi      ; lpThreadAttributes
  .text:1006F417                 push    esi      ; lpProcessAttributes
  .text:1006F418                 push    esi
  .text:1006F419                 call    sub_10004147    ; get the CommandLine
  .text:1006F419
  .text:1006F41E                 push    eax      ; lpCommandLine
  .text:1006F41F                 push    esi      ; lpApplicationName
  .text:1006F420                 call    ds:CreateProcessA


    As we seen, lpCommandLine point to "C:\DOCUME~1\administrator\LOCALS~1\Temp\calc.exe"£¬Because there is no valid checks, the attacker can build a CAB file which included a trojan or spy program and use the function "DloadDS()" for executing it.



Attached File:

    Exploit can be found at the following url, please do not use for attacking.
    
    http://ruder.cdut.net/attach/baidu_soba/baidu_soba_exploit.html



Solution:

    Baidu said they have fixed this fault, but infact, the product downloaded from "http://bar.baidu.com/sobar/promotion.html" is also affected, we strongly suggest user set a Killbit for this CLSID.



Disclosure Timeline:

    2007.07.19    Vendor notified via email 
    2007.07.19    Vendor responded
    2007.07.23    Vendor noticed me new version is available and they refuse to release an advisory for this vul
    2007.07.24    Vendor say they have not updated the product successfully
    2007.08.01    Vendor noticed me again that new version is available
    2007.08.02    But it looks like they are failed too
    2007.08.02    Advisory released



Disclaimer:

    Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.


Fortinet Security Research
secresearch@fortinet.com
http://www.fortinet.com

  

Best Regards,
         

¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡cocoruder of Fortinet Security Research Team
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡hfli@fortinet.com
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2007-08-02

*** Disclaimer: This message may contain privileged and/or confidential information.  If you have received this e-mail in error or are not the intended recipient, you may not use, copy, disseminate or distribute it; do not open any attachments, delete it immediately from your system and notify the sender promptly by e-mail that you have done so.  Thank you. ***