cvelistv5 - cve-2009-1792

cve-2009-1792

Vulnerability from cvelistv5

Published

2009-05-29 18:00

Modified

2024-08-07 05:27

Severity ?

Summary

References

▼	URL	Tags
	cve@mitre.org	http://secunia.com/advisories/35256
	cve@mitre.org	http://www.coresecurity.com/content/StoneTrip-S3DPlayers
	cve@mitre.org	http://www.securityfocus.com/archive/1/503887/100/0/threaded
	cve@mitre.org	http://www.securityfocus.com/bid/35105

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:27:54.450Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "35105",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/35105"
          },
          {
            "name": "35256",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/35256"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
          },
          {
            "name": "20090528 CORE-2009-0401 - StoneTrip S3DPlayers remote command injection",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-05-28T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument)."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-10T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "35105",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/35105"
        },
        {
          "name": "35256",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/35256"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
        },
        {
          "name": "20090528 CORE-2009-0401 - StoneTrip S3DPlayers remote command injection",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-1792",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "35105",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/35105"
            },
            {
              "name": "35256",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/35256"
            },
            {
              "name": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers",
              "refsource": "MISC",
              "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
            },
            {
              "name": "20090528 CORE-2009-0401 - StoneTrip S3DPlayers remote command injection",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2009-1792",
    "datePublished": "2009-05-29T18:00:00",
    "dateReserved": "2009-05-26T00:00:00",
    "dateUpdated": "2024-08-07T05:27:54.450Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2009-1792\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-05-29T18:30:00.203\",\"lastModified\":\"2021-09-22T14:22:18.110\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n system.openURL en StoneTrip Ston3D StandalonePlayer (tambien conocido como S3DPlayer StandAlone) v1.6.2.4 y v1.7.0.1 y WebPlayer (tambi\u00e9n conocido como S3DPlayer Web) v1.6.0.0 permite a atacantes remotos ejecutar comandos de su elecci\u00f3n a atrav\u00e9s de de metacaracteres del int\u00e9rprete de comandos en el primer argumento (el argumento sURL.)\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":9.3},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52C5D62C-CCD9-44A1-B120-15B462A14802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_standalone:1.7.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8FBC588-1328-47C7-8F41-33C969FF6373\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B41CBD9C-064D-41C0-9FDE-E1A6C4278A06\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CF61F35-5905-4BA9-AD7E-7DB261D2F256\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52C5D62C-CCD9-44A1-B120-15B462A14802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B41CBD9C-064D-41C0-9FDE-E1A6C4278A06\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C56F007-5F8E-4BDD-A803-C907BCC0AF55\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"155AD4FB-E527-4103-BCEF-801B653DEA37\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52C5D62C-CCD9-44A1-B120-15B462A14802\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/35256\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.coresecurity.com/content/StoneTrip-S3DPlayers\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/503887/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/35105\",\"source\":\"cve@mitre.org\"}]}}"
  }
}

The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument). S3DPlayer Web and Standalone are prone to a remote command-injection vulnerability because they fail to adequately sanitize user-supplied input data. Attackers can exploit this issue to execute arbitrary commands within the context of the affected application. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
       http://www.coresecurity.com/corelabs/

   StoneTrip S3DPlayers remote command injection

Advisory Information

Title: StoneTrip S3DPlayers remote command injection Advisory ID: CORE-2009-0401 Advisory URL: http://www.coresecurity.com/content/StoneTrip-S3DPlayers Date published: 2009-05-28 Date of last update: 2009-05-28 Vendors contacted: StoneTrip Release mode: User release

Vulnerability Information

Class: Command injection, Client side Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 35105 CVE Name: CVE-2009-1792

Vulnerability Description

Ston3D is a cross-platform technology developed by StoneTrip [1], allowing applications developed with ShiVa product [2] to be run from various media. It is a platform for 3D real time development, specially designed to make games and other real time applications.

Ston3D players come in two flavors:

Ston3D StandalonePlayer [3],
and Ston3D WebPlayer [4], which runs like an extension or plug-in within most popular web browsers.

These players are vulnerable to a command injection vulnerability, which can be exploited by malicious remote attackers. The vulnerability is due to the Ston3D scripting language. It provides the function 'system.openURL()' which does not properly sanitize the input before using it.

Vulnerable packages

4.1. Win32

. S3DPlayer Web v1.6.0.0 . S3DPlayer StandAlone v1.6.2.4 . S3DPlayer StandAlone v1.7.0.1

4.2. MacOS

. S3DPlayer Web v1.6.0.0 . S3DPlayer StandAlone v1.6.2.4

4.3. Linux

. S3DPlayer StandAlone v1.6.2.4

NOTE: Older versions are probably affected too, but they were not checked.

Non-vulnerable packages

By the time this advisory was published, the vendor:

had not released patched versions of its products,
had not answered the requests made by Core Security for 3 weeks (see Section 9).

Please contact StoneTrip for a fix.

Vendor Information, Solutions and Workarounds

The vendor did not provide this information. A possible mitigation action would be to enable MIME type filtering in your IDS/proxies and block S3DPlayer traffic:

/-----------

application/x-ston3d-stk - -----------/

As a workaround, vulnerable users can also avoid this flaw by disabling the Ston3D Plugin in their web browsers:

6.1. Mozilla Firefox

Go to the Tools menu, and select Options...
Click on the Main tab
Click on the Manage Add-ons...
Disable Ston3D Plugin

6.2. Safari

Go to the Safari menu within Safari, and select Preferences
Click on the *Security * tab
Deselect Enable plug-ins

6.3. Internet Explorer

Set the kill bit for control 7508D2BB-F085-45BF-8261-167C6DF4D477 (as explained in http://support.microsoft.com/kb/240797).

Please contact StoneTrip for further information, patches and workarounds.

Credits

This vulnerability was discovered and researched by Diego Juarez from Core Security Technologies.

Technical Description / Proof of Concept Code

Ston3D is a cross-platform technology allowing applications developed with ShiVa product [2] to be run from various media, such as a website, CD/DVD or interactive equipment. This technology provides a scripting interface [5] based on the Lua programming language, within this interface the function 'system.openURL' is defined as follows:

/-----------

Prototype system.openURL(sURL, sTarget) --Call this function to open an URL.

-----------/

In the current implementation, the call 'system.openURL(sURL, sTarget)' with the parameter 'sURL' set as 'file://path/command' will ultimately execute the equivalent of calling

/----------- system("open path/command"); - -----------/

By using platform specific delimiter characters this could allow arbitrary code execution in the context of the player.

Find below the relevant code snippets from various platforms.

8.1. Windows

/-----------

.text:1000D64D test esi, esi .text:1000D64F mov eax, esi .text:1000D651 jnz short loc_1000D658 .text:1000D653 .text:1000D653 loc_1000D653: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1CB .text:1000D653 mov eax, offset Name .text:1000D658 .text:1000D658 loc_1000D658: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1D1 .text:1000D658 push 1 .text:1000D65A push offset Name ; lpDirectory .text:1000D65F push ecx ; lpParameters .text:1000D660 push eax ; lpFile .text:1000D661 push offset Operation ; "open" .text:1000D666 push 0 ; hwnd .text:1000D668 call ds:ShellExecuteA .text:1000D66E .text:1000D66E loc_1000D66E: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1B0 .text:1000D66E test edi, edi .text:1000D670 jbe short loc_1000D67F .text:1000D672 test esi, esi .text:1000D674 jz short loc_1000D67F .text:1000D676 add esi, 0FFFFFFFCh .text:1000D679 push esi ; Memory .text:1000D67A call ebp ; __imp_free

-----------/

8.2. Linux

/-----------

.text:08371334 mov [esp+5Ch+var_58], offset aOpen ; "open " .text:0837133C lea eax, [esp+5Ch+var_34] .text:08371340 mov [esp+5Ch+command], eax .text:08371343 call sub_8109FC0 .text:08371348 lea eax, [esp+5Ch+var_1C] .text:0837134C mov [esp+5Ch+var_58], eax .text:08371350 lea eax, [esp+5Ch+var_34] .text:08371354 mov [esp+5Ch+command], eax .text:08371357 call sub_8108F10 .text:0837135C lea eax, [esp+5Ch+var_34] .text:08371360 mov [esp+5Ch+command], eax .text:08371363 call sub_80DF660 .text:08371368 mov [esp+5Ch+command], eax .text:0837136B call _system .text:08371370 lea eax, [esp+5Ch+var_34] .text:08371374 mov [esp+5Ch+command], eax .text:08371377 call sub_80D92F0 .text:0837137C jmp short loc_8371398

-----------/

8.3. MacOSX (x86)

/-----------

__text:0005995B lea eax, (aOpen - 597ECh)[ebx] ; "open " __text:00059961 lea esi, [esp+5Ch+var_44] __text:00059965 mov [esp+5Ch+var_58], eax __text:00059969 mov [esp+5Ch+var_5C], esi __text:0005996C call __ZN7Pandora10EngineCore6StringC1EPKc ; Pandora::EngineCore::String::String(char const*) __text:00059971 mov [esp+5Ch+var_58], edi __text:00059975 mov [esp+5Ch+var_5C], esi __text:00059978 call __ZN7Pandora10EngineCore6StringpLERKS1_ __text:0005997D mov edx, [esp+5Ch+var_44] __text:00059981 test edx, edx __text:00059983 jz loc_59A5F __text:00059989 mov eax, [esp+5Ch+var_40] __text:0005998D test eax, eax __text:0005998F jz loc_59A5F __text:00059995 __text:00059995 loc_59995: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+295 __text:00059995 mov [esp+5Ch+var_5C], eax __text:00059998 call _system __text:0005999D mov eax, [esp+5Ch+var_44] __text:000599A1 test eax, eax __text:000599A3 jnz loc_59AB2 __text:000599A9 nop dword ptr [eax+00000000h]

-----------/

8.4. MacOSX (PPC)

/-----------

__text:00053D6C addi %r30, %sp, 0x90+var_38 __text:00053D70 addis %r4, %r31, 0x3F __text:00053D74 addi %r4, %r4, -0x29DC __text:00053D78 mr %r3, %r30 __text:00053D7C bl __ZN7Pandora10EngineCore6StringC1EPKc # Pandora::EngineCore::String::String(char const) __text:00053D80 mr %r3, %r30 __text:00053D84 mr %r4, %r29 __text:00053D88 bl __ZN7Pandora10EngineCore6StringpLERKS1_ __text:00053D8C lwz %r0, 0x90+var_38(%sp) __text:00053D90 cmpwi cr7, %r0, 0 __text:00053D94 beq cr7, loc_53DA4 __text:00053D98 lwz %r3, 0x90+var_34(%sp) __text:00053D9C cmpwi cr7, %r3, 0 __text:00053DA0 bc 5, 4cr7+eq, loc_53DAC __text:00053DA4 __text:00053DA4 loc_53DA4: # CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+394 __text:00053DA4 addis %rtoc, %r31, 0x3F __text:00053DA8 addi %r3, %rtoc, -0x5620 __text:00053DAC __text:00053DAC loc_53DAC: # CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+3A0 __text:00053DAC bl _system __text:00053DB0 lwz %r0, 0x90+var_38(%sp) __text:00053DB4 cmpwi cr7, %r0, 0 __text:00053DB8 beq cr7, loc_53E24 __text:00053DBC b loc_53DF8

-----------/
Report Timeline

. 2009-04-20: Core Security Technologies notifies the StoneTrip team of the vulnerability and announces its initial plan to publish the content on May 18th, 2009. 2009-04-21: The vendor asks Core for a technical description of the vulnerability. 2009-04-23: Technical details sent to StoneTrip team by Core. 2009-04-24: In addition to the technical details, a Proof of Concept was sent to StoneTrip team. 2009-04-28: Core asks the vendor to confirm the reception of the technical report. 2009-04-28: StoneTrip team notifies that the technical report has been received and that a vulnerability report will be sent to Core soon. 2009-05-07: Core requests a status update for this vulnerability and notifies its plan to publish the advisory on May 18th, 2009. No reply received. 2009-05-15: Core requests an answer to the previous mail. No reply received. 2009-05-18: Core Advisories Team does not release the advisory as originally planned. Core re-schedules the advisory publication date to 26th May 2009. 2009-05-20: Core notifies StoneTrip that the advisory publication date was missed and that the last status requests were not replied. Core also notifies the vendor of the final release date (26th May 2009). 2009-05-28: After trying to contact the StoneTrip team several times without success, the advisory CORE-2009-0401 is published as 'User Release'.

References

[1] http://www.stonetrip.com. [2] ShiVa, a platform for 3D real time development with focus in game development http://www.stonetrip.com/shiva/shiva-3d-game-engine.html. [3] http://www.stonetrip.com/ston3d-players/ston3d-standalone.html. [4] http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html. [5] http://stdn.stonetrip.com.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKHuAiyNibggitWa0RAgJTAJsEXfUBmIjxmY7X4hplONY/Z0DOJgCfUKxJ F9s8R8PuYBiIhvLANh3XmhE= =kU8D -----END PGP SIGNATURE----- . ----------------------------------------------------------------------

Do you have VARM strategy implemented?

(Vulnerability Assessment Remediation Management)

If not, then implement it through the most reliable vulnerability intelligence source on the market.

Implement it through Secunia.

For more information visit: http://secunia.com/advisories/business_solutions/

Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com

TITLE: Ston3D "system.openURL()" Command Injection Vulnerability

SECUNIA ADVISORY ID: SA35256

VERIFY ADVISORY: http://secunia.com/advisories/35256/

DESCRIPTION: A vulnerability has been reported in Ston3D, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the implementation of the "system.openURL()" script function.

The vulnerability is reported in the following products and versions: * Ston3D Web Player version 1.6.0.0 * Ston3D StandAlone Player versions 1.6.2.4 and 1.7.0.1

SOLUTION: Do not browse untrusted websites or follow untrusted links.

Do not open untrusted Ston3D files.

Reportedly an update will be available for Ston3D Web Player later this month.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200905-0330",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "s3dplayer web",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "stonetrip",
        "version": "1.6.0.0"
      },
      {
        "model": "s3dplayer standalone",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "stonetrip",
        "version": "1.6.2.4"
      },
      {
        "model": "s3dplayer standalone",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "stonetrip",
        "version": "1.7.0.1"
      },
      {
        "model": "s3dplayer standalone",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "stonetrip",
        "version": "1.6.2.4 and  1.7.0.1"
      },
      {
        "model": "kernel",
        "scope": null,
        "trust": 0.6,
        "vendor": "linux",
        "version": null
      },
      {
        "model": "s3dplayer web for mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "stonetrip",
        "version": "x1.6.0.0"
      },
      {
        "model": "s3dplayer standalone for windows",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "stonetrip",
        "version": "1.7.0.1"
      },
      {
        "model": "s3dplayer standalone for windows",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "stonetrip",
        "version": "1.6.2.4"
      },
      {
        "model": "s3dplayer standalone for mac os",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "stonetrip",
        "version": "x1.6.2.4"
      },
      {
        "model": "s3dplayer standalone for linux",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "stonetrip",
        "version": "1.6.2.4"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "35105"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Diego Juarez",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-1792",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "HIGH",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 9.3,
            "confidentialityImpact": "Complete",
            "exploitabilityScore": null,
            "id": "CVE-2009-1792",
            "impactScore": null,
            "integrityImpact": "Complete",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.6,
            "id": "VHN-39238",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2009-1792",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200905-326",
            "trust": 0.6,
            "value": "CRITICAL"
          },
          {
            "author": "VULHUB",
            "id": "VHN-39238",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument). S3DPlayer Web and Standalone are prone to a remote command-injection vulnerability because they fail to adequately sanitize user-supplied input data. \nAttackers can exploit this issue to execute arbitrary commands within the context of the affected application. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n      Core Security Technologies - CoreLabs Advisory\n           http://www.coresecurity.com/corelabs/\n\n       StoneTrip S3DPlayers remote command injection\n\n\n1. *Advisory Information*\n\nTitle: StoneTrip S3DPlayers remote command injection\nAdvisory ID: CORE-2009-0401\nAdvisory URL: http://www.coresecurity.com/content/StoneTrip-S3DPlayers\nDate published: 2009-05-28\nDate of last update: 2009-05-28\nVendors contacted: StoneTrip\nRelease mode: User release\n\n\n2. *Vulnerability Information*\n\nClass: Command injection, Client side\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35105\nCVE Name: CVE-2009-1792\n\n\n3. *Vulnerability Description*\n\nSton3D is a cross-platform technology developed by StoneTrip [1],\nallowing applications developed with ShiVa product [2] to be run from\nvarious media. It is a platform for 3D real time development, specially\ndesigned to make games and other real time applications. \n\nSton3D players come in two flavors:\n\n   1. Ston3D StandalonePlayer [3],\n   2. and Ston3D WebPlayer [4], which runs like an extension or plug-in\nwithin most popular web browsers. \n\nThese players are vulnerable to a command injection vulnerability, which\ncan be exploited by malicious remote attackers. The vulnerability is due\nto the Ston3D scripting language. It provides the function\n\u0027system.openURL()\u0027 which does not properly sanitize the input before\nusing it. \n\n\n4. *Vulnerable packages*\n\n4.1. *Win32*\n\n   . S3DPlayer Web v1.6.0.0\n   . S3DPlayer StandAlone v1.6.2.4\n   . S3DPlayer StandAlone v1.7.0.1\n\n4.2. *MacOS*\n\n   . S3DPlayer Web v1.6.0.0\n   . S3DPlayer StandAlone v1.6.2.4\n\n4.3. *Linux*\n\n   . S3DPlayer StandAlone v1.6.2.4\n\nNOTE: Older versions are probably affected too, but they were not checked. \n\n\n5. *Non-vulnerable packages*\n\nBy the time this advisory was published, the vendor:\n\n   1. had not released patched versions of its products,\n   2. had not answered the requests made by Core Security for 3 weeks\n(see Section 9). \n\nPlease contact StoneTrip for a fix. \n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nThe vendor did not provide this information. A possible mitigation\naction would be to enable MIME type filtering in your IDS/proxies and\nblock S3DPlayer traffic:\n\n/-----------\n\napplication/x-ston3d-stk\n- -----------/\n\nAs a workaround, vulnerable users can also avoid this flaw by disabling\nthe Ston3D Plugin in their web browsers:\n\n\n6.1. *Mozilla Firefox*\n\n   1. Go to the *Tools* menu, and select *Options...*\n   2. Click on the *Main* tab\n   3. Click on the *Manage Add-ons...*\n   4. Disable *Ston3D Plugin*\n\n\n6.2. *Safari*\n\n   1. Go to the *Safari* menu within Safari, and select *Preferences*\n   2. Click on the *Security * tab\n   3. Deselect *Enable plug-ins*\n\n\n6.3. *Internet Explorer*\n\nSet the kill bit for control 7508D2BB-F085-45BF-8261-167C6DF4D477 (as\nexplained in http://support.microsoft.com/kb/240797). \n\nPlease contact StoneTrip for further information, patches and workarounds. \n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Diego Juarez from\nCore Security Technologies. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nSton3D is a cross-platform technology allowing applications developed\nwith ShiVa product [2] to be run from various media, such as a website,\nCD/DVD or interactive equipment. This technology provides a scripting\ninterface [5] based on the Lua programming language, within this\ninterface the function \u0027system.openURL\u0027 is defined as follows:\n\n/-----------\n\nPrototype\nsystem.openURL(sURL, sTarget)    --Call this function to open an URL. \n\n- -----------/\n\nIn the current implementation, the call \u0027system.openURL(sURL, sTarget)\u0027\nwith the parameter \u0027sURL\u0027 set as \u0027file://path/command\u0027 will ultimately\nexecute the equivalent of calling\n\n/-----------\nsystem(\"open path/command\");\n- -----------/\n\n By using platform specific delimiter characters this could allow\narbitrary code execution in the context of the player. \n\nFind below the relevant code snippets from various platforms. \n\n\n8.1. *Windows*\n\n/-----------\n\n.text:1000D64D    test    esi, esi\n.text:1000D64F    mov     eax, esi\n.text:1000D651    jnz     short loc_1000D658\n.text:1000D653\n.text:1000D653 loc_1000D653:                ; CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\nconst \u0026amp;,Pandora::EngineCore::String const \u0026amp;)+1CB\n.text:1000D653    mov     eax, offset Name\n.text:1000D658\n.text:1000D658 loc_1000D658:                ; CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\nconst \u0026amp;,Pandora::EngineCore::String const \u0026amp;)+1D1\n.text:1000D658    push    1\n.text:1000D65A    push    offset Name       ; lpDirectory\n.text:1000D65F    push    ecx               ; lpParameters\n.text:1000D660    push    eax               ; lpFile\n.text:1000D661    push    offset Operation  ; \"open\"\n.text:1000D666    push    0                 ; hwnd\n.text:1000D668    call    ds:ShellExecuteA\n.text:1000D66E\n.text:1000D66E loc_1000D66E:                ; CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\nconst \u0026amp;,Pandora::EngineCore::String const \u0026amp;)+1B0\n.text:1000D66E    test    edi, edi\n.text:1000D670    jbe     short loc_1000D67F\n.text:1000D672    test    esi, esi\n.text:1000D674    jz      short loc_1000D67F\n.text:1000D676    add     esi, 0FFFFFFFCh\n.text:1000D679    push    esi               ; Memory\n.text:1000D67A    call    ebp               ; __imp_free\n\n- -----------/\n\n\n8.2. *Linux*\n\n/-----------\n\n.text:08371334    mov     [esp+5Ch+var_58], offset aOpen ; \"open \"\n.text:0837133C    lea     eax, [esp+5Ch+var_34]\n.text:08371340    mov     [esp+5Ch+command], eax\n.text:08371343    call    sub_8109FC0\n.text:08371348    lea     eax, [esp+5Ch+var_1C]\n.text:0837134C    mov     [esp+5Ch+var_58], eax\n.text:08371350    lea     eax, [esp+5Ch+var_34]\n.text:08371354    mov     [esp+5Ch+command], eax\n.text:08371357    call    sub_8108F10\n.text:0837135C    lea     eax, [esp+5Ch+var_34]\n.text:08371360    mov     [esp+5Ch+command], eax\n.text:08371363    call    sub_80DF660\n.text:08371368    mov     [esp+5Ch+command], eax\n.text:0837136B    call    _system\n.text:08371370    lea     eax, [esp+5Ch+var_34]\n.text:08371374    mov     [esp+5Ch+command], eax\n.text:08371377    call    sub_80D92F0\n.text:0837137C    jmp     short loc_8371398\n\n- -----------/\n\n\n8.3. *MacOSX (x86)*\n\n/-----------\n\n__text:0005995B   lea     eax, (aOpen - 597ECh)[ebx] ; \"open \"\n__text:00059961   lea     esi, [esp+5Ch+var_44]\n__text:00059965   mov     [esp+5Ch+var_58], eax\n__text:00059969   mov     [esp+5Ch+var_5C], esi\n__text:0005996C   call    __ZN7Pandora10EngineCore6StringC1EPKc ;\nPandora::EngineCore::String::String(char  const*)\n__text:00059971   mov     [esp+5Ch+var_58], edi\n__text:00059975   mov     [esp+5Ch+var_5C], esi\n__text:00059978   call    __ZN7Pandora10EngineCore6StringpLERKS1_\n__text:0005997D   mov     edx, [esp+5Ch+var_44]\n__text:00059981   test    edx, edx\n__text:00059983   jz      loc_59A5F\n__text:00059989   mov     eax, [esp+5Ch+var_40]\n__text:0005998D   test    eax, eax\n__text:0005998F   jz      loc_59A5F\n__text:00059995\n__text:00059995 loc_59995:                              ; CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\n const\u0026amp;,Pandora::EngineCore::String  const\u0026amp;)+295\n__text:00059995   mov     [esp+5Ch+var_5C], eax\n__text:00059998   call    _system\n__text:0005999D   mov     eax, [esp+5Ch+var_44]\n__text:000599A1   test    eax, eax\n__text:000599A3   jnz     loc_59AB2\n__text:000599A9   nop     dword ptr [eax+00000000h]\n\n- -----------/\n\n\n8.4. *MacOSX (PPC)*\n\n/-----------\n\n__text:00053D6C   addi    %r30, %sp, 0x90+var_38\n__text:00053D70   addis   %r4, %r31, 0x3F\n__text:00053D74   addi    %r4, %r4, -0x29DC\n__text:00053D78   mr      %r3, %r30\n__text:00053D7C   bl      __ZN7Pandora10EngineCore6StringC1EPKc #\nPandora::EngineCore::String::String(char  const*)\n__text:00053D80   mr      %r3, %r30\n__text:00053D84   mr      %r4, %r29\n__text:00053D88   bl      __ZN7Pandora10EngineCore6StringpLERKS1_\n__text:00053D8C   lwz     %r0, 0x90+var_38(%sp)\n__text:00053D90   cmpwi   cr7, %r0, 0\n__text:00053D94   beq     cr7, loc_53DA4\n__text:00053D98   lwz     %r3, 0x90+var_34(%sp)\n__text:00053D9C   cmpwi   cr7, %r3, 0\n__text:00053DA0   bc      5, 4*cr7+eq, loc_53DAC\n__text:00053DA4\n__text:00053DA4 loc_53DA4:                              # CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\n const\u0026amp;,Pandora::EngineCore::String  const\u0026amp;)+394\n__text:00053DA4   addis   %rtoc, %r31, 0x3F\n__text:00053DA8   addi    %r3, %rtoc, -0x5620\n__text:00053DAC\n__text:00053DAC loc_53DAC:                              # CODE XREF:\nPandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String\n const\u0026amp;,Pandora::EngineCore::String  const\u0026amp;)+3A0\n__text:00053DAC   bl      _system\n__text:00053DB0   lwz     %r0, 0x90+var_38(%sp)\n__text:00053DB4   cmpwi   cr7, %r0, 0\n__text:00053DB8   beq     cr7, loc_53E24\n__text:00053DBC   b       loc_53DF8\n\n- -----------/\n\n\n9. *Report Timeline*\n\n. 2009-04-20:\nCore Security Technologies notifies the StoneTrip team of\nthe vulnerability and announces its initial plan to publish the content\non May 18th, 2009. 2009-04-21:\nThe vendor asks Core for a technical description of the\nvulnerability. 2009-04-23:\nTechnical details sent to StoneTrip team by Core. 2009-04-24:\nIn addition to the technical details, a Proof of Concept\nwas sent to StoneTrip team. 2009-04-28:\nCore asks the vendor to confirm the reception of the\ntechnical report. 2009-04-28:\nStoneTrip team notifies that the technical report has been\nreceived and that a vulnerability report will be sent to Core soon. 2009-05-07:\nCore requests a status update for this vulnerability and\nnotifies its plan to publish the advisory on May 18th, 2009. No reply\nreceived. 2009-05-15:\nCore requests an answer to the previous mail. No reply\nreceived. 2009-05-18:\nCore Advisories Team does not release the advisory as\noriginally planned. Core re-schedules the advisory publication date to\n26th May 2009. 2009-05-20:\nCore notifies StoneTrip that the advisory publication date\nwas missed and that the last status requests were not replied. Core also\nnotifies the vendor of the final release date (26th May 2009). 2009-05-28:\nAfter trying to contact the StoneTrip team several times\nwithout success, the advisory CORE-2009-0401 is published as \u0027User\nRelease\u0027. \n\n\n10. *References*\n\n[1] http://www.stonetrip.com. \n[2] ShiVa, a platform for 3D real time development with focus in game\ndevelopment\nhttp://www.stonetrip.com/shiva/shiva-3d-game-engine.html. \n[3] http://www.stonetrip.com/ston3d-players/ston3d-standalone.html. \n[4] http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html. \n[5] http://stdn.stonetrip.com. \n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.7 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKHuAiyNibggitWa0RAgJTAJsEXfUBmIjxmY7X4hplONY/Z0DOJgCfUKxJ\nF9s8R8PuYBiIhvLANh3XmhE=\n=kU8D\n-----END PGP SIGNATURE-----\n. ----------------------------------------------------------------------\n\nDo you have VARM strategy implemented?\n\n(Vulnerability Assessment Remediation Management)  \n\nIf not, then implement it through the most reliable vulnerability\nintelligence source on the market. \n\nImplement it through Secunia. \n\nFor more information visit:\nhttp://secunia.com/advisories/business_solutions/\n\nAlternatively request a call from a Secunia representative today to\ndiscuss how we can help you with our capabilities contact us at:\nsales@secunia.com\n\n----------------------------------------------------------------------\n\nTITLE:\nSton3D \"system.openURL()\" Command Injection Vulnerability\n\nSECUNIA ADVISORY ID:\nSA35256\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/35256/\n\nDESCRIPTION:\nA vulnerability has been reported in Ston3D, which can be exploited\nby malicious people to compromise a user\u0027s system. \n\nThe vulnerability is caused due to an error in the implementation of\nthe \"system.openURL()\" script function. \n\nThe vulnerability is reported in the following products and\nversions:\n* Ston3D Web Player version 1.6.0.0\n* Ston3D StandAlone Player versions 1.6.2.4 and 1.7.0.1\n\nSOLUTION:\nDo not browse untrusted websites or follow untrusted links. \n\nDo not open untrusted Ston3D files. \n\nReportedly an update will be available for Ston3D Web Player later\nthis month. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "BID",
        "id": "35105"
      },
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "db": "PACKETSTORM",
        "id": "77968"
      }
    ],
    "trust": 2.16
  },
  "exploit_availability": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "reference": "https://www.scap.org.cn/vuln/vhn-39238",
        "trust": 0.1,
        "type": "unknown"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      }
    ]
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-1792",
        "trust": 2.9
      },
      {
        "db": "BID",
        "id": "35105",
        "trust": 2.0
      },
      {
        "db": "SECUNIA",
        "id": "35256",
        "trust": 1.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "77923",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-39238",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "77968",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "BID",
        "id": "35105"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "db": "PACKETSTORM",
        "id": "77968"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "id": "VAR-200905-0330",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2023-12-18T12:58:41.372000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top Page",
        "trust": 0.8,
        "url": "http://www.stonetrip.com/"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.9,
        "url": "http://www.coresecurity.com/content/stonetrip-s3dplayers"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/bid/35105"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
      },
      {
        "trust": 1.7,
        "url": "http://secunia.com/advisories/35256"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1792"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1792"
      },
      {
        "trust": 0.3,
        "url": "http://support.microsoft.com/kb/240797"
      },
      {
        "trust": 0.3,
        "url": "http://www.stonetrip.com/"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/503887"
      },
      {
        "trust": 0.1,
        "url": "http://www.stonetrip.com/shiva/shiva-3d-game-engine.html."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2009-1792"
      },
      {
        "trust": 0.1,
        "url": "http://support.microsoft.com/kb/240797)."
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
      },
      {
        "trust": 0.1,
        "url": "http://www.stonetrip.com/ston3d-players/ston3d-standalone.html."
      },
      {
        "trust": 0.1,
        "url": "http://enigmail.mozdev.org"
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/corelabs."
      },
      {
        "trust": 0.1,
        "url": "http://stdn.stonetrip.com."
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com."
      },
      {
        "trust": 0.1,
        "url": "http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html."
      },
      {
        "trust": 0.1,
        "url": "http://www.coresecurity.com/corelabs/"
      },
      {
        "trust": 0.1,
        "url": "http://www.stonetrip.com."
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/35256/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "BID",
        "id": "35105"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "db": "PACKETSTORM",
        "id": "77968"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "db": "BID",
        "id": "35105"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "db": "PACKETSTORM",
        "id": "77968"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-05-29T00:00:00",
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "date": "2009-05-28T00:00:00",
        "db": "BID",
        "id": "35105"
      },
      {
        "date": "2012-12-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "date": "2009-05-29T02:00:23",
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "date": "2009-06-02T13:39:51",
        "db": "PACKETSTORM",
        "id": "77968"
      },
      {
        "date": "2009-05-29T18:30:00.203000",
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "date": "2009-05-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-10-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-39238"
      },
      {
        "date": "2015-04-13T21:10:00",
        "db": "BID",
        "id": "35105"
      },
      {
        "date": "2012-12-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      },
      {
        "date": "2021-09-22T14:22:18.110000",
        "db": "NVD",
        "id": "CVE-2009-1792"
      },
      {
        "date": "2021-09-23T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "77923"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "StoneTrip Ston3D StandalonePlayer and  WebPlayer of  system.openURL Arbitrary command execution vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-006041"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200905-326"
      }
    ],
    "trust": 0.6
  }
}

gsd-2009-1792

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2009-1792

Aliases

CVE-2009-1792

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2009-1792",
    "description": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).",
    "id": "GSD-2009-1792"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2009-1792"
      ],
      "details": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).",
      "id": "GSD-2009-1792",
      "modified": "2023-12-13T01:19:47.940689Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2009-1792",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument)."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "35105",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/35105"
          },
          {
            "name": "35256",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/35256"
          },
          {
            "name": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers",
            "refsource": "MISC",
            "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
          },
          {
            "name": "20090528 CORE-2009-0401 - StoneTrip S3DPlayers remote command injection",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.7.0.1:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_web:1.6.0.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:a:stonetrip:s3dplayer_standalone:1.6.2.4:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2009-1792"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-78"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
            },
            {
              "name": "35105",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/35105"
            },
            {
              "name": "35256",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/35256"
            },
            {
              "name": "20090528 CORE-2009-0401 - StoneTrip S3DPlayers remote command injection",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2021-09-22T14:22Z",
      "publishedDate": "2009-05-29T18:30Z"
    }
  }
}

ghsa-5q3m-29q7-8p94

Vulnerability from github

Published

2022-05-02 03:28

Modified

2022-05-02 03:28

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2009-1792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-05-29T18:30:00Z",
    "severity": "HIGH"
  },
  "details": "The system.openURL function in StoneTrip Ston3D StandalonePlayer (aka S3DPlayer StandAlone) 1.6.2.4 and 1.7.0.1 and WebPlayer (aka S3DPlayer Web) 1.6.0.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the first argument (the sURL argument).",
  "id": "GHSA-5q3m-29q7-8p94",
  "modified": "2022-05-02T03:28:39Z",
  "published": "2022-05-02T03:28:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1792"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35256"
    },
    {
      "type": "WEB",
      "url": "http://www.coresecurity.com/content/StoneTrip-S3DPlayers"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/503887/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35105"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2009-1792

Vulnerability from cvelistv5

var-200905-0330

Vulnerability from variot

gsd-2009-1792

Vulnerability from gsd

ghsa-5q3m-29q7-8p94

Vulnerability from github

Tags

Sightings

Nomenclature