发布时间 :2015-01-12 14:59:00
修订时间 :2015-01-13 15:42:55

[原文]The RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in RealNetworks GameHouse RealArcade Installer performs unexpected type conversions for invalid parameter types, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted arguments to the (1) AddTag, (2) Ping, (3) QueuePause, (4) QueueRemove, (5) QueueTop, (6) RemoveTag, (7) TagRemoved, or (8) message method.

[CNNVD]RealNetworks GameHouse RealArcade Installer 释放后使用远程代码执行漏洞(CNNVD-201309-052)

        GameHouse RealArcade Installer是美国RealNetworks公司的一套游戏门户网站中的下载安装包。
        GameHouse RealArcade Installer 3.0.7之前的版本中存在远程代码执行漏洞。攻击者可利用该漏洞在用户运行的受影响应用程序上下文中执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

RealNetworks GameHouse RealArcade Installer 释放后使用远程代码执行漏洞
2013-09-10 00:00:00 2013-09-10 00:00:00
        GameHouse RealArcade Installer是美国RealNetworks公司的一套游戏门户网站中的下载安装包。
        GameHouse RealArcade Installer 3.0.7之前的版本中存在远程代码执行漏洞。攻击者可利用该漏洞在用户运行的受影响应用程序上下文中执行任意代码。

- 公告与补丁


- 漏洞信息

GameHouse RealArcade Installer InstallerDlg Module RACInstaller.StateCtrl.1 ActiveX Dispatcher Multiple Methods Use-after-free Arbitrary Code Execution
Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Private RBS Confirmed, Coordinated Disclosure, No Vendor Response

- 漏洞描述

GameHouse RealArcade Installer contains a use-after-free error in the RACInstaller.StateCtrl.1 ActiveX control (InstallerDlg.dll) that is triggered when the dispatcher attempts to convert invalid input types supplied as arguments for certain methods. With a specially crafted web page, a context-dependetn attacker can dereference already freed memory and execute arbitrary code.

- 时间线

2013-09-05 2013-01-26
Unknow 2013-05-29

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 3.0.7 or higher, which no longer configures the ActiveX control as 'safe-for-scripting'.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GameHouse RealArcade Installer CVE-2013-2603 Use After Free Remote Code Execution Vulnerability
Unknown 62250
Yes No
2013-09-05 12:00:00 2013-09-05 12:00:00
Carsten Eiram of Risk Based Security

- 受影响的程序版本

- 漏洞讨论

GameHouse RealArcade Installer is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.

Versions prior to GameHouse RealArcade Installer 3.0.7 are vulnerable.

- 漏洞利用

An attacker can exploit this issue using a web browser.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考