Hyperdose Security Advisory

Name: Arbitrary file overwrite in Musicmatch 
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Severity: Moderate
Author: Robert Fly - robfly@hyperdose.com 
Advisory URL: http://www.hyperdose.com/advisories/H2005-05.txt

--MusicMatch Description--
>From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience."  In September 04 Musicmatch was purchased by Yahoo! Inc.

--Bug Details--
CreateProcess has known issues with launching files.  For example, when
making a call like:
CreateProcess(NULL, "C:\Program Files\app\launch.exe", ...)

The API will first look for c:\program.exe, instead of what most would
expect (to open launch.exe).  To fix the path must be quoted.

More details can be found here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/ht
ml/appsec.asp

MMFWLaunch.exe versions earlier then 10.00.2047 contain this vulnerability.
To reproduce, create a file on your root drive called program.exe.  Then
launch MMFWLaunch.exe (located under c:\program files\musicmatch\Musicmatch
Jukebox\), on vulnerable versions you should see that program launched
several times instead of the actual MMFWLaunch.  Through normal means, you
can come across this by navigating to File->Create CD From Current Playlist
in the core Musicmatch UI.

Although not possible on WinXP, previous versions of Windows had looser ACLs
on the root drive.  Meaning an attacker using a shared computer could get
their victim to run their code instead of launching this Musicmatch file by
taking advantage of this vulnerability.

Musicmatch has now fixed this vulnerability by quoting the path passed into
the CreateProcessAPI.

--Fix Information--
As of 3/21/05 Yahoo has released a new version which fixes this
vulnerability.  I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
http://www.musicmatch.com/download/free/security.htm
Security FAQ available here:
http://www.musicmatch.com/info/user_guide/faq/security_updates.htm

--About Hyperdose--
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle.  We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.

web   www.hyperdose.com 
email robfly@hyperdose.com