[VulnWatch] GameSpy Arcade Arbitrary File Writing Vulnerability

From: Mike Kristovich (zzz_at_threezee.com)
Date: 07/30/03

  • Next message: Janusz Niewiadomski: "[VulnWatch] wu-ftpd fb_realpath() off-by-one bug"
    Date: Wed, 30 Jul 2003 13:49:39 -0400
    
    

    ###############################################################
    ThreeZee Technology, Inc. Security Advisory #TZT002
    ###############################################################

    Advisory: GameSpy Arcade Arbitrary File Writing

    Discovered: July 26, 2003
    Released: July 31, 2003

    Risk: Critical; Allows writing of a file to any
                     location on the victim's system.

    Author: Mike Kristovich, Security Researcher
                     ThreeZee Technology, Inc.
                     http://www.ThreeZee.com

    ###############################################################

    Table of contents:

    1) Introduction
    2) The Bug
    3) Details
    4) Fix
    5) Philosophy
    6) Closing comments

    _______________________________________________________________

    1) Introduction
     
    The problem exists within GSAPAK.EXE, a game update agent which
    is included by default with the installation of GameSpy Arcade.

    GameSpy automatically adds three mime types to the list of
    accepted documents in Internet Explorer and Netscape Navigator,
    which are:

    "application/x-gsarcade-usersvc"
    "application/x-gsarcade-skinpak"
    "application/x-gsarcade-launch"

    By default, when a file with the extension of .APK, .arcade or
    .asn is received, it will be launched by GSAPAK.exe.

    _______________________________________________________________

    2) The Bug

    When a user receives a file with the .APK extension, it is
    actually a simple ZIP file. An attacker could simply construct
    a ZIP file, and change the path so that it would by extracted
    into the root directory of the drive, or even the startup
    directory of Windows.

    Using this method, it would be quite easy to insert a virus,
    trojan horse, or pretty much anything one desires, into the
    victim's system.

    i.e.: ../../../calc.exe - Would put it in the root directory

    Because the file is considered an accepted type by browsers,
    there will be no dialog asking the user to accept or deny
    receiving it.

    _______________________________________________________________

    3) Risk

    If a user were to have JavaScript enabled, the attacker could
    even add "onLoad=" to an IMG tag on a web page, which would run
    the file upon the image being loaded. This could have serious
    consequences on Gaming Forums.

    This bug does not require GameSpy Arcade to run, or ever have
    run. It's possible that it has been installed along with a
    game, and hasn't been touched. This does not make the user
    safe. GSAPAK.exe is a separate entity in the GameSpy package,
    and is useful for the purpose they've created it.

    _______________________________________________________________

    4) Fix
      
    GameSpy was notified on July 28, 2003.

    GameSpy responded very quickly, and they were on their way to
    fixing the bug within 12 hours of the initial contact.

    Directory of GameSpy Technology, David Wright, has told TZT
    that this vulnerability will be fixed in a patch this week.
    We'd like to thank GameSpy for their extremely fast response
    and professionalism in handling this matter.

    Current GameSpy Arcade users should see the patch, and be
    given the option (possibly required) to update. We suggest
    the latter.

    If you have concerns about waiting for the patch, it can be
    temporarily fixed by removing the above specified accepted
    documents from the registry. You could also remove GSAPAK.exe,
    or you could even choose to uninstall GameSpy Arcade until the
    patch becomes available later this week.

    _______________________________________________________________

    5) Philosophy

    GameSpy has hundreds of thousands of users, most of which are
    using GameSpy Arcade and are vulnerable to this bug.
      
    This bug has now been disclosed, and all users should patch
    their system as soon as the patch is available.
      
    Keep in mind, your system will still be vulnerable even if
    you've installed GameSpy Arcade, but never ran it.

    _______________________________________________________________

    6) Closing comments
      
    We would like to thank GameSpy and David Wright for their
    prompt handling of the bug report, again.

    _______________________________________________________________

    7) Contact

     Questions, comments, complaints:
     
      Mike Kristovich, Security Researcher
      ThreeZee Technology, Inc.

      http://www.ThreeZee.com
      zzz@threezee.com

     Press inquiries:

      press@threezee.com

     


  • Next message: Janusz Niewiadomski: "[VulnWatch] wu-ftpd fb_realpath() off-by-one bug"