####################################################################### Luigi Auriemma Application: Unity 3D web player http://unity3d.com/webplayer/ Versions: <= 3.2.0.61061 Platforms: Windows Bug: heap corruption Exploitation: remote Date: 21 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Unity 3d is a game engine used in various games and it's web player allows to play these games (unity3d extension) also directly from the web browser. ####################################################################### ====== 2) Bug ====== Heap corruption caused by a negative 32bit size value which allows to execute malicious code. The problem is caused by the modification of the 64bit uncompressed size (handled as 32bit by the plugin) of the lzma header which is just composed by the following fields (from lzma86.h): Offset Size Description 0 1 = 0 - no filter, pure LZMA = 1 - x86 filter + LZMA 1 1 lc, lp and pb in encoded form 2 4 dictSize (little endian) 6 8 uncompressed size (little endian) Reading of the 64bit field as 32bit one (CMP EAX,4) and some of the subsequent operations: 070BEDA3 33C0 XOR EAX,EAX 070BEDA5 895D 08 MOV DWORD PTR SS:[EBP+8],EBX 070BEDA8 83F8 04 CMP EAX,4 070BEDAB 73 10 JNB SHORT webplaye.070BEDBD 070BEDAD 0FB65438 05 MOVZX EDX,BYTE PTR DS:[EAX+EDI+5] 070BEDB2 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 070BEDB5 D3E2 SHL EDX,CL 070BEDB7 0196 A4000000 ADD DWORD PTR DS:[ESI+A4],EDX 070BEDBD 8345 08 08 ADD DWORD PTR SS:[EBP+8],8 070BEDC1 40 INC EAX 070BEDC2 837D 08 40 CMP DWORD PTR SS:[EBP+8],40 070BEDC6 ^72 E0 JB SHORT webplaye.070BEDA8 070BEDC8 6A 4A PUSH 4A 070BEDCA 68 280A4B07 PUSH webplaye.074B0A28 ; ASCII "C:/BuildAgent/work/b0bcff80449a48aa/PlatformDependent/CommonWebPlugin/CompressedFileStream.cpp" 070BEDCF 53 PUSH EBX 070BEDD0 FF35 84635407 PUSH DWORD PTR DS:[7546384] 070BEDD6 6A 04 PUSH 4 070BEDD8 68 00000400 PUSH 40000 070BEDDD E8 BA29E4FF CALL webplaye.06F0179C ... 070BEC6B 8B86 A4000000 MOV EAX,DWORD PTR DS:[ESI+A4] ; our value 070BEC71 2B86 A8000000 SUB EAX,DWORD PTR DS:[ESI+A8] 070BEC77 33C9 XOR ECX,ECX 070BEC79 3D 00000400 CMP EAX,40000 070BEC7E C745 FC 00000400 MOV DWORD PTR SS:[EBP-4],40000 070BEC85 7F 04 JG SHORT webplaye.070BEC8B ; signed comparison 070BEC87 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; replace 0x40000 with our value ... 070C0DAB 2975 FC SUB DWORD PTR SS:[EBP-4],ESI The provided proof-of-concept is not optimized but should show a write4 and (tested on Firefox) EIP pointing to an invalid memory zone after various continuable exceptions. A script about the format of the unity3d files is available here: http://aluigi.org/papers/bms/unity3d_webplayer.bms ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/unity3d_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################