SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   GameSpy Arcade Vendors:   GameSpy Industries
GameSpy Arcade 'GSAPAK.exe' Lets Remote Users Install Arbitrary Files
SecurityTracker Alert ID:  1007346
SecurityTracker URL:  http://securitytracker.com/id/1007346
CVE Reference:   CVE-2003-0650   (Links to External Site)
Updated:  Aug 6 2003
Original Entry Date:  Jul 31 2003
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in GameSpy Arcade. A remote user can install an arbitrary file to an arbitrary location on the target user's system.

ThreeZee Technology reported that a flaw resides in the GSAPAK.EXE update agent.

'GSAPAK.exe' is reportedly associated with the following MIME types when the GameSpy Arcade software is installed:

"application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak"
"application/x-gsarcade-launch"

As a result, a remote user can send a specially crafted file (via HTML e-mail or a web page) with a '.APK', '.arcade', or '.asn' file extension to cause 'GSAPAK.exe' to be executed on the target user's computer to decompress and install the contents of the file. A remote user can specify the filename of and the destination location for the extracted file.

The report notes that the system is affected if GameSpy Arcade is installed. The software does not need to have ever been executed for the system to be vulnerable.

The following notification timeline is provided:

Discovered: July 26, 2003
Vendor Notified: July 28, 2003
Released: July 31, 2003

Impact:   A remote user can cause an arbitrary file to be installed to an arbitrary location on the target user's system. The file is written with the privileges of the target user.
Solution:   The vendor plans to issue a patch this week.

The author of the report indicates that, as a workaround, you can remove GSAPAK.exe.

Vendor URL:  www.gamespyarcade.com/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  GameSpy Arcade Arbitrary File Writing Vulnerability




###############################################################
ThreeZee Technology, Inc.       Security Advisory    #TZT002
###############################################################

Advisory:        GameSpy Arcade Arbitrary File Writing

Discovered:      July 26, 2003
Released:        July 31, 2003

Risk:            Critical; Allows writing of a file to any
                 location on the victim's system.

Author:          Mike Kristovich, Security Researcher
                 ThreeZee Technology, Inc. 
                 http://www.ThreeZee.com

############################################################### 

Table of contents:

1)    Introduction
2)    The Bug
3)    Details
4)    Fix
5)    Philosophy
6)    Closing comments

_______________________________________________________________

1) Introduction
 
The problem exists within GSAPAK.EXE, a game update agent which 
is included by default with the installation of GameSpy Arcade. 

GameSpy automatically adds three mime types to the list of 
accepted documents in Internet Explorer and Netscape Navigator,
which are:

"application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak"
"application/x-gsarcade-launch" 

By default, when a file with the extension of .APK, .arcade or 
.asn is received, it will be launched by GSAPAK.exe.

_______________________________________________________________

2) The Bug

When a user receives a file with the .APK extension, it is
actually a simple ZIP file.  An attacker could simply construct
a ZIP file, and change the path so that it would by extracted 
into the root directory of the drive, or even the startup 
directory of Windows.

Using this method, it would be quite easy to insert a virus,
trojan horse, or pretty much anything one desires, into the
victim's system.

i.e.:   ../../../calc.exe - Would put it in the root directory

Because the file is considered an accepted type by browsers, 
there will be no dialog asking the user to accept or deny
receiving it. 

_______________________________________________________________

3) Risk

If a user were to have JavaScript enabled, the attacker could 
even add "onLoad=" to an IMG tag on a web page, which would run
the file upon the image being loaded.  This could have serious
consequences on Gaming Forums.

This bug does not require GameSpy Arcade to run, or ever have
run.  It's possible that it has been installed along with a 
game, and hasn't been touched.  This does not make the user 
safe.  GSAPAK.exe is a separate entity in the GameSpy package,
and is useful for the purpose they've created it.

_______________________________________________________________

4) Fix
  
GameSpy was notified on July 28, 2003.

GameSpy responded very quickly, and they were on their way to
fixing the bug within 12 hours of the initial contact.

Directory of GameSpy Technology, David Wright, has told TZT
that this vulnerability will be fixed in a patch this week.
We'd like to thank GameSpy for their extremely fast response
and professionalism in handling this matter.

Current GameSpy Arcade users should see the patch, and be 
given the option (possibly required) to update.  We suggest
the latter.

If you have concerns about waiting for the patch, it can be 
temporarily fixed by removing the above specified accepted 
documents from the registry. You could also remove GSAPAK.exe,
or you could even choose to uninstall GameSpy Arcade until the
patch becomes available later this week.

_______________________________________________________________


5) Philosophy

GameSpy has hundreds of thousands of users, most of which are 
using GameSpy Arcade and are vulnerable to this bug.
  
This bug has now been disclosed, and all users should patch
their system as soon as the patch is available.
  
Keep in mind, your system will still be vulnerable even if 
you've installed GameSpy Arcade, but never ran it.

_______________________________________________________________ 

6) Closing comments
  
We would like to thank GameSpy and David Wright for their
prompt handling of the bug report, again.   

_______________________________________________________________

7) Contact

 Questions, comments, complaints:
 
  Mike Kristovich, Security Researcher
  ThreeZee Technology, Inc.

  http://www.ThreeZee.com
  zzz@threezee.com


 Press inquiries:

  press@threezee.com

 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC