Got this through Xavier Ashe:

The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It’s called “RebootMachine”. If you have installed Sony’s ActiveX control, follow the link to invoke the RebootMachine method. I don’t even want to know what the ExecuteCode method does…

The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven’t analyzed the code enough to determine if it’s exploitable, but I’m guessing it doesn’t do any significant verification – meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I’d like to see how these methods are supposed to be used.

Link here via Xavier.

I’ll see if I can hunt more down on this topic.

Alex Eckelberry


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.