SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   RealArcade Vendors:   RealNetworks
RealArcade Integer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013128
SecurityTracker URL:  http://securitytracker.com/id/1013128
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 9 2005
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network

Version(s): 1.2.0.994 and prior versions
Description:   Luigi Auriemma reported some vulnerabilities in RealArcade. A remote user can execute arbitrary code on the target user's system. A remote user can also cause arbitrary files to be deleted.

The software does not properly process RGS files. A remote user can create an RGS file with a specially crafted size value for the GUID and game name string to trigger an integer overflow. A remote user can execute arbitrary code on the target user's system. A demonstration exploit is available at:

http://aluigi.altervista.org/poc/rna_bof.rgs

A remote user can create an RGP file with a specially crafted 'FILENAME' tag to cause a specified file on the target user's system to be deleted.

A demonstration exploit value is provided:

<FILENAME>../../windows/calc.exe</FILENAME>

A demonstration exploit [to delete '../../../../../../folder/myfile.txt'] is available at:

http://aluigi.altervista.org/poc/rna_deleter.rgp

The vendor was notified on October 31, 2004.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.

A remote user can cause arbitrary files to be deleted.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.realarcade.com/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Integer overflow and arbitrary files deletion in RealArcade



#######################################################################

                             Luigi Auriemma

Application:  RealArcade
              http://www.realarcade.com
Versions:     <= 1.2.0.994
Platforms:    Windows
Bugs:         A] integer overflow in RGS files
              B] arbitrary files deletion through RGP files
Exploitation: local (or remote through browser)
Date:         08 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


RealArcade is a software/portal developed by RealNetworks for
downloading and buying arcade games.


#######################################################################

=======
2) Bugs
=======


--------------------------------
A] integer overflow in RGS files
--------------------------------

The problem is located in the handling of the RGS files, in fact exists
an integer overflow in the 32 bits value that specifies the size of the
text string containg the GUID and the name of the game to install.

When the user launchs a RGS file he can choose if continuing to install
it or not.
The bug happens with both the choices overwriting the return address of
the vulnerable function and letting the attacker to execute malicious
code on the victim.


---------------------------------------------
B] arbitrary files deletion through RGP files
---------------------------------------------

The second problem instead lets an attacker to delete any file in the
victim's disk simply using a RGP file containing a <FILENAME> tag 
followed by a filename with a directory traversal path just like this
piece of RGP file:

...
			<GAMEID>950258D1-7ABD-4afc-8886-449B98CE8224</GAMEID>
			<VERSION>1.0 Demo RGI</VERSION>
			<TYPE>demo</TYPE>
			<GENRE>Puzzle and Board</GENRE>

              <!-- now we exploit the directory traversal bug -->

			<FILENAME>../../windows/calc.exe</FILENAME>
...

To be exact the problem is in the first operation made on the file when
RealArcade searchs for an existent file with the same name and deletes
it immediately (both if it already exists or not).
Instead in the next step (the downloading of the file from the web)
everything works correctly, that's why is only possible to delete a
local file and not to overwrite it with a malicious one causing more
damage.

The exploitation is immediate, so a simple double-click on a local RGP
file leads to the instantaneous deletion of the file without warnings
or confirmations.

An useless note about the usage of a slash or a backslash for the
exploitation: seems that in older versions also the backslash had the
same effect while in the recent vulnerable versions only the slash is
allowed.


#######################################################################

===========
3) The Code
===========


A] http://aluigi.altervista.org/poc/rna_bof.rgs

B] http://aluigi.altervista.org/poc/rna_deleter.rgp

   this second proof-of-concept overwrites the following file:

     ../../../../../../folder/myfile.txt (usually c:\folder\myfile.txt)

   So you must have or create this file and this folder to be able to
   see the effect of the exploitation.


#######################################################################

======
4) Fix
======


No fix.
A patch will be "probably" released the 10th February but I doubt since
it's from the beginning of January that each week the developers say
that they will release the patch the "next week".

In any case I reported the bugs to them exactly the 31th October 2004
(so over 3 months ago) and I'm sorry to have not fully respected my
policy since this advisory should be released at least 2 months ago
avoiding all this horrible and shameful wasting of time made by the
developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC