Got this through Xavier Ashe:
The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It’s called “RebootMachine”. If you have installed Sony’s ActiveX control, follow the link to invoke the RebootMachine method. I don’t even want to know what the ExecuteCode method does…
The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven’t analyzed the code enough to determine if it’s exploitable, but I’m guessing it doesn’t do any significant verification – meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I’d like to see how these methods are supposed to be used.
I’ll see if I can hunt more down on this topic.
Alex Eckelberry