###############################################################
ThreeZee Technology, Inc. Security Advisory #TZT002 ############################################################### Advisory:
GameSpy Arcade Arbitrary File Writing
Discovered: July 26,
2003
Released: July 31, 2003 Risk:
Critical; Allows writing of a file to
any
location on the victim's system. ###############################################################
Table of contents:
1)
Introduction
2) The Bug 3) Details 4) Fix 5) Philosophy 6) Closing comments _______________________________________________________________
1) Introduction
The problem exists within GSAPAK.EXE, a game update agent which is included by default with the installation of GameSpy Arcade. GameSpy automatically adds three mime types to the
list of
accepted documents in Internet Explorer and Netscape Navigator, which are: "application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak" "application/x-gsarcade-launch" By default, when a file with the extension of .APK,
.arcade or
.asn is received, it will be launched by GSAPAK.exe. _______________________________________________________________
2) The Bug
When a user receives a file with the .APK
extension, it is
actually a simple ZIP file. An attacker could simply construct a ZIP file, and change the path so that it would by extracted into the root directory of the drive, or even the startup directory of Windows. Using this method, it would be quite easy to insert
a virus,
trojan horse, or pretty much anything one desires, into the victim's system. i.e.: ../../../calc.exe - Would put it
in the root directory
Because the file is considered an accepted type by
browsers,
there will be no dialog asking the user to accept or deny receiving it. _______________________________________________________________
3) Risk
If a user were to have _javascript_ enabled, the
attacker could
even add "http://www.ThreeZee.com">http://www.ThreeZee.com [EMAIL PROTECTED] Press inquiries: |