文章作者:Matti Nikki
I've collected some of my findings about the Sony's XCP DRM rootkit here. Enjoy!
Uninstaller
The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called "RebootMachine". If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method. I don't even want to know what the ExecuteCode method does...
The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven't analyzed the code enough to determine if it's exploitable, but I'm guessing it doesn't do any significant verification - meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the java script it uses. I'd like to see how these methods are supposed to be used.
Also, if anyone has reversed the XCP.DAT format (seems to be zlib based compressed archive), please contact me. It would appear that ability to create these archives is the ability to execute anything on the vulnerable systems
Scriptable methods left behind
The uninstaller leaves behind lots of methods, here are the names:
- GenerateRequestPacket
- ExecuteCode (can crash browser)
- Uninstall
- RebootMachine (exploitable, see demo)
- GetProgress
- OnLoaded
- InitializeDiscScan
- GetNumberOfDiscs
- IsDRMServerValid
- GetAlbumArtist
- GetAlbumName
- GetMaxBurnCount
- GetCurrentBurnCount
- GenerateIncrementPacket
- IsContentOwnerValid
- DoIncrement
- GetInstalledSoftwareVersion
- IsXCPDiscPresent
- InstallUpdate (possibly exploitable, downloads given url)
- GetInstallProgress
- GetCompletionStatus
- IsXCPDiscPresentAsLong
- IsAdministrator
Considering anyone can reboot the computer using these, I suspect security wasn't thought about for even a second during development of this thing. Virus writers and such would be very interested in analyzing what these methods do, in case some of them are remotely exploitable... possibly even by design.
Magic lists
The installer and player both contain some interesting lists of exe names, window names, and so on. So far I don't know what these are used for, but I'd guess it's a blacklist system. Your guess is as good as mine, but the DRM system scans for them every two seconds.
LAME references?
On the CD, the file Contents\GO.EXE contains some strings:
00056c18 68 74 74 70 3a 2f 2f 77-77 77 2e 6d 70 33 64 65 http://www.mp3de
00056c28 76 2e 6f 72 67 2f 00 00-30 2e 39 30 00 00 00 00 v.org/..0.90....
00056c38 4c 41 4d 45 33 2e 39 35-20 00 00 00 33 2e 39 35 LAME3.95 ...3.95
00056c48 00 00 00 00 33 2e 39 35-20 00 00 00 00 00 00 00 ....3.95 .......
The big question is, what are they doing there? I'd say this indicates that the executable has been compiled against static LAME library, which happens to be LGPL. I don't have any further evidence about this, other than lots of data from libmp3lame being included and easy to find. I have no idea what the DRM system or the installer would do with LAME.
It might be accidently linked in, someone else checked and didn't find any matching code.
2005-11-13 Matti Nikki <
muzzy@iki.fi>
