COMMAND

	CNet CatchUp arbitrary code execution

SYSTEMS AFFECTED

	Catchup 1.3

PROBLEM

	Andrew Clover [http://and.doxdesk.com/] says :
	

	CNet CatchUp is controlled by .RVP files which  specify  what  filenames
	to look for, checksums, and so on.  RVP  files  execute  immediately  on
	being encountered, unless the  user  sets  the  option  to  wait  before
	beginning a scan. There is no  authentication  mechanism  -  anyone  can
	make their own .RVP file to scan the local machine.
	

	The results are presented in a report HTML page, a template of which  is
	included in the RVP file. The page is saved under  a  filename  included
	in the RVP file. (Only the leafname is  used  -  the  report  is  always
	saved  in  a  user-specified  directory.)  When  CatchUp  has   finished
	scanning, it opens the report file by passing a DDE message to  any  web
	browsers open.
	

	 Issue :

	 =====

	

	The main problem is that the filename need not end in \'.html\'.  It  is
	possible for an attacker to craft an RVP  file  which  will  create  any
	file, for example .BAT or .VBS, and deliver it to the user  through  the
	web or e-mail. When the scan completes - or straight away,  if  the  RVP
	specifies no scanning commands - the malicious file will be  opened.  If
	a DDE-compliant web browser window is  open  at  the  moment  it  should
	prompt the user to save or open the  file  as  usual.  If,  however,  no
	browser  is  open,  Windows  will  execute  the  file  without   further
	confirmation, allowing the attack to run arbitrary code.

SOLUTION

	no fix for now.
	

	 Workaround

	 ==========

	

	Ensure that CatchUp is only allowed to run from  trusted  sites.  Either
	turn on the \'ask for confirmation  before  scanning\'  option,  or,  if
	like me you aren\'t able to open the  options  dialogue  box  to  do  so
	without crashing Windows, go to Folder Options -> File Types ->  CatchUp
	Configation File  (RVP)  ->  Edit  and  turn  on  \'Confirm  open  after
	download\'.