Samsung Kies Remote Command Execution

October 26, 2012

Samsung Kies is a software application used for communication between Windows/Mac computers, mobile phones and tablets. Communication can be performed via USB on traditional devices or via WiFi on newer devices. The software has a number of functions, including data backup, data transfer, multimedia management and firmware/OS upgrade.

Upon installation, Kies deploys an ActiveX control CmdAgent.CommandAgent which is contained in dynamic-link library CmdAgent.dll. The ActiveX control can be instantiated via a web page.

A remote command execution vulnerability exists in Samsung Kies. Specifically the vulnerability is due to exposure of unsafe methods in the CmdAgent.CommandAgent ActiveX control. A remote attackers can exploit this vulnerability by enticing a target user (who has Samsung Kies installed) to open a specially crafted web page. Successful exploitation of this flaw allows arbitrary command execution in the security context of the logged-in user.

Dell SonicWALL has released signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • IPS sid:9116 "Samsung Multistage Command Agent ActiveX Instantiation 1"
  • IPS sid:9117 "Samsung Multistage Command Agent ActiveX Instantiation 2"