Home page logo
/

bugtraq logo Bugtraq mailing list archives

CNet CatchUp arbitrary code execution
From: Andrew Clover <and () doxdesk com>
Date: Wed, 20 Feb 2002 10:07:47 +0000

Affected: Catchup 1.3
Vendor: CNET <http://catchup.cnet.com/>
Risk: medium

Background:

CNet CatchUp is a generic file scanner application aimed
at detecting old versions of installed applications, and as a
side-line, viruses, trojans and spyware. It is controlled by
.RVP files which specify what filenames to look for, checksums,
and so on. RVP files execute immediately on being encountered,
unless the user sets the option to wait before beginning a
scan. There is no authentication mechanism - anyone can make
their own .RVP file to scan the local machine.

The results are presented in a report HTML page, a template
of which is included in the RVP file. The page is saved under
a filename included in the RVP file. (Only the leafname is used
- the report is always saved in a user-specified directory.)
When CatchUp has finished scanning, it opens the report
file by passing a DDE message to any web browsers open.

Issue:

The main problem is that the filename need not end in '.html'.
It is possible for an attacker to craft an RVP file which will
create any file, for example .BAT or .VBS, and deliver it to
the user through the web or e-mail. When the scan completes
- or straight away, if the RVP specifies no scanning commands -
the malicious file will be opened. If a DDE-compliant web
browser window is open at the moment it should prompt the user
to save or open the file as usual. If, however, no browser is
open, Windows will execute the file without further
confirmation, allowing the attack to run arbitrary code.

Vendor response:

CNet has released version 1.3.1 of CatchUp to fix this bug.
Users of previous versions are advised to download the new
version from http://catchup.cnet.com/ .

Issue:

Creating an HTML file in the local filesystem has well-known
security risks. The 'My Computer' zone generally has security
set at a much more relaxed level than the 'Internet' zone.
Active scripting will also execute in the security context of
the local filesystem, allowing eg. browser-parsable files to
be read and sent to an attacker through an iframes-and-
innerHTML hack.

Vendor response:

Avoiding saving reports in HTML to local storage would require
a significant change in CatchUp's architecture. This will be
addressed in the next major revision of the software, but
there is no fix for now.

Workaround:

Ensure that CatchUp is only allowed to run from trusted sites.
Either turn on the 'ask for confirmation before scanning'
option, or, if like me you aren't able to open the options
dialogue box to do so without crashing Windows, go to Folder
Options -> File Types -> CatchUp Configation File (RVP) ->
Edit and turn on 'Confirm open after download'.

--
Andrew Clover
mailto:and () doxdesk com
http://and.doxdesk.com/


  By Date           By Thread  

Current thread:
  • CNet CatchUp arbitrary code execution Andrew Clover (Feb 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]