[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001701c356c2$f3ee9810$6b402e44@threezee>
From: zzz at threezee.com (Mike Kristovich)
Subject: GameSpy Arcade Arbitrary File Writing Vulnerability
###############################################################
ThreeZee Technology, Inc. Security Advisory #TZT002
###############################################################
Advisory: GameSpy Arcade Arbitrary File Writing
Discovered: July 26, 2003
Released: July 31, 2003
Risk: Critical; Allows writing of a file to any
location on the victim's system.
Author: Mike Kristovich, Security Researcher
ThreeZee Technology, Inc.
http://www.ThreeZee.com
###############################################################
Table of contents:
1) Introduction
2) The Bug
3) Details
4) Fix
5) Philosophy
6) Closing comments
_______________________________________________________________
1) Introduction
The problem exists within GSAPAK.EXE, a game update agent which
is included by default with the installation of GameSpy Arcade.
GameSpy automatically adds three mime types to the list of
accepted documents in Internet Explorer and Netscape Navigator,
which are:
"application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak"
"application/x-gsarcade-launch"
By default, when a file with the extension of .APK, .arcade or
.asn is received, it will be launched by GSAPAK.exe.
_______________________________________________________________
2) The Bug
When a user receives a file with the .APK extension, it is
actually a simple ZIP file. An attacker could simply construct
a ZIP file, and change the path so that it would by extracted
into the root directory of the drive, or even the startup
directory of Windows.
Using this method, it would be quite easy to insert a virus,
trojan horse, or pretty much anything one desires, into the
victim's system.
i.e.: ../../../calc.exe - Would put it in the root directory
Because the file is considered an accepted type by browsers,
there will be no dialog asking the user to accept or deny
receiving it.
_______________________________________________________________
3) Risk
If a user were to have JavaScript enabled, the attacker could
even add "onLoad=" to an IMG tag on a web page, which would run
the file upon the image being loaded. This could have serious
consequences on Gaming Forums.
This bug does not require GameSpy Arcade to run, or ever have
run. It's possible that it has been installed along with a
game, and hasn't been touched. This does not make the user
safe. GSAPAK.exe is a separate entity in the GameSpy package,
and is useful for the purpose they've created it.
_______________________________________________________________
4) Fix
GameSpy was notified on July 28, 2003.
GameSpy responded very quickly, and they were on their way to
fixing the bug within 12 hours of the initial contact.
Directory of GameSpy Technology, David Wright, has told TZT
that this vulnerability will be fixed in a patch this week.
We'd like to thank GameSpy for their extremely fast response
and professionalism in handling this matter.
Current GameSpy Arcade users should see the patch, and be
given the option (possibly required) to update. We suggest
the latter.
If you have concerns about waiting for the patch, it can be
temporarily fixed by removing the above specified accepted
documents from the registry. You could also remove GSAPAK.exe,
or you could even choose to uninstall GameSpy Arcade until the
patch becomes available later this week.
_______________________________________________________________
5) Philosophy
GameSpy has hundreds of thousands of users, most of which are
using GameSpy Arcade and are vulnerable to this bug.
This bug has now been disclosed, and all users should patch
their system as soon as the patch is available.
Keep in mind, your system will still be vulnerable even if
you've installed GameSpy Arcade, but never ran it.
_______________________________________________________________
6) Closing comments
We would like to thank GameSpy and David Wright for their
prompt handling of the bug report, again.
_______________________________________________________________
7) Contact
Questions, comments, complaints:
Mike Kristovich, Security Researcher
ThreeZee Technology, Inc.
http://www.ThreeZee.com
zzz@...eezee.com
Press inquiries:
press@...eezee.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030730/199dfd8a/attachment.html
Powered by blists - more mailing lists