[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050208185257.3ee63736.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Integer overflow and arbitrary files deletion in
RealArcade 1.2.0.994
#######################################################################
Luigi Auriemma
Application: RealArcade
http://www.realarcade.com
Versions: <= 1.2.0.994
Platforms: Windows
Bugs: A] integer overflow in RGS files
B] arbitrary files deletion through RGP files
Exploitation: local (or remote through browser)
Date: 08 Feb 2005
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
RealArcade is a software/portal developed by RealNetworks for
downloading and buying arcade games.
#######################################################################
=======
2) Bugs
=======
--------------------------------
A] integer overflow in RGS files
--------------------------------
The problem is located in the handling of the RGS files, in fact exists
an integer overflow in the 32 bits value that specifies the size of the
text string containg the GUID and the name of the game to install.
When the user launchs a RGS file he can choose if continuing to install
it or not.
The bug happens with both the choices overwriting the return address of
the vulnerable function and letting the attacker to execute malicious
code on the victim.
---------------------------------------------
B] arbitrary files deletion through RGP files
---------------------------------------------
The second problem instead lets an attacker to delete any file in the
victim's disk simply using a RGP file containing a <FILENAME> tag
followed by a filename with a directory traversal path just like this
piece of RGP file:
...
<GAMEID>950258D1-7ABD-4afc-8886-449B98CE8224</GAMEID>
<VERSION>1.0 Demo RGI</VERSION>
<TYPE>demo</TYPE>
<GENRE>Puzzle and Board</GENRE>
<!-- now we exploit the directory traversal bug -->
<FILENAME>../../windows/calc.exe</FILENAME>
...
To be exact the problem is in the first operation made on the file when
RealArcade searchs for an existent file with the same name and deletes
it immediately (both if it already exists or not).
Instead in the next step (the downloading of the file from the web)
everything works correctly, that's why is only possible to delete a
local file and not to overwrite it with a malicious one causing more
damage.
The exploitation is immediate, so a simple double-click on a local RGP
file leads to the instantaneous deletion of the file without warnings
or confirmations.
An useless note about the usage of a slash or a backslash for the
exploitation: seems that in older versions also the backslash had the
same effect while in the recent vulnerable versions only the slash is
allowed.
#######################################################################
===========
3) The Code
===========
A] http://aluigi.altervista.org/poc/rna_bof.rgs
B] http://aluigi.altervista.org/poc/rna_deleter.rgp
this second proof-of-concept overwrites the following file:
../../../../../../folder/myfile.txt (usually c:\folder\myfile.txt)
So you must have or create this file and this folder to be able to
see the effect of the exploitation.
#######################################################################
======
4) Fix
======
No fix.
A patch will be "probably" released the 10th February but I doubt since
it's from the beginning of January that each week the developers say
that they will release the patch the "next week".
In any case I reported the bugs to them exactly the 31th October 2004
(so over 3 months ago) and I'm sorry to have not fully respected my
policy since this advisory should be released at least 2 months ago
avoiding all this horrible and shameful wasting of time made by the
developers.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists