mailing list archives
Trojan file issue in Musicmatch software
From: "Hyperdose Security" <robfly () hyperdose com>
Date: Thu, 14 Apr 2005 07:37:40 -0700
Hyperdose Security Advisory
Name: Arbitrary file overwrite in Musicmatch
Systems Affected: Musicmatch v10.00.2047 or earlier (according to Yahoo
v9.00.5059 and earlier are also affected)
Author: Robert Fly - robfly () hyperdose com
Advisory URL: http://www.hyperdose.com/advisories/H2005-05.txt
From Musicmatch.com, "Musicmatch Jukebox 10 is the most powerful way to find
and organize your music, giving you ultimate control of your music
experience." In September 04 Musicmatch was purchased by Yahoo! Inc.
CreateProcess has known issues with launching files. For example, when
making a call like:
CreateProcess(NULL, "C:\Program Files\app\launch.exe", ...)
The API will first look for c:\program.exe, instead of what most would
expect (to open launch.exe). To fix the path must be quoted.
More details can be found here:
MMFWLaunch.exe versions earlier then 10.00.2047 contain this vulnerability.
To reproduce, create a file on your root drive called program.exe. Then
launch MMFWLaunch.exe (located under c:\program files\musicmatch\Musicmatch
Jukebox\), on vulnerable versions you should see that program launched
several times instead of the actual MMFWLaunch. Through normal means, you
can come across this by navigating to File->Create CD From Current Playlist
in the core Musicmatch UI.
Although not possible on WinXP, previous versions of Windows had looser ACLs
on the root drive. Meaning an attacker using a shared computer could get
their victim to run their code instead of launching this Musicmatch file by
taking advantage of this vulnerability.
Musicmatch has now fixed this vulnerability by quoting the path passed into
As of 3/21/05 Yahoo has released a new version which fixes this
vulnerability. I have witheld vulnerability details until now so that
MusicMatch automatic updates had a chance to propogate.
Downloads available here:
Security FAQ available here:
Hyperdose Security was founded to provide companies with application
security knowledge through all parts of an application's security
development lifecycle. We specialize in all phases of software development
ranging from security design and architectural reviews, security code
reviews and penetration testing.
email robfly () hyperdose com
- Trojan file issue in Musicmatch software Hyperdose Security (Apr 14)