####################################################################### Luigi Auriemma Application: RealArcade http://www.realarcade.com Versions: <= 1.2.0.994 Platforms: Windows Bugs: A] integer overflow in RGS files B] arbitrary files deletion through RGP files Exploitation: local (or remote through browser) Date: 08 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== RealArcade is a software/portal developed by RealNetworks for downloading and buying arcade games. ####################################################################### ======= 2) Bugs ======= -------------------------------- A] integer overflow in RGS files -------------------------------- The problem is located in the handling of the RGS files, in fact exists an integer overflow in the 32 bits value that specifies the size of the text string containg the GUID and the name of the game to install. When the user launchs a RGS file he can choose if continuing to install it or not. The bug happens with both the choices overwriting the return address of the vulnerable function and letting the attacker to execute malicious code on the victim. --------------------------------------------- B] arbitrary files deletion through RGP files --------------------------------------------- The second problem instead lets an attacker to delete any file in the victim's disk simply using a RGP file containing a tag followed by a filename with a directory traversal path just like this piece of RGP file: ... 950258D1-7ABD-4afc-8886-449B98CE8224 1.0 Demo RGI demo Puzzle and Board ../../windows/calc.exe ... To be exact the problem is in the first operation made on the file when RealArcade searchs for an existent file with the same name and deletes it immediately (both if it already exists or not). Instead in the next step (the downloading of the file from the web) everything works correctly, that's why is only possible to delete a local file and not to overwrite it with a malicious one causing more damage. The exploitation is immediate, so a simple double-click on a local RGP file leads to the instantaneous deletion of the file without warnings or confirmations. An useless note about the usage of a slash or a backslash for the exploitation: seems that in older versions also the backslash had the same effect while in the recent vulnerable versions only the slash is allowed. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/poc/rna_bof.zip B] http://aluigi.org/poc/rna_deleter.zip this second proof-of-concept overwrites the following file: ../../../../../../folder/myfile.txt (usually c:\folder\myfile.txt) So you must have or create this file and this folder to be able to see the effect of the exploitation. ####################################################################### ====== 4) Fix ====== No fix. A patch will be "probably" released the 10th February but I doubt since it's from the beginning of January that each week the developers say that they will release the patch the "next week". In any case I reported the bugs to them exactly the 31th October 2004 (so over 3 months ago) and I'm sorry to have not fully respected my policy since this advisory should be released at least 2 months ago avoiding all this horrible and shameful wasting of time made by the developers. #######################################################################