Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zeroscienceGjoko KrsticZSL-2021-5651
HistoryApr 30, 2021 - 12:00 a.m.

Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun

2021-04-3000:00:00
Gjoko Krstic
zeroscience.mk
105

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

69.2%

JSON

Title: Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun
Advisory ID: ZSL-2021-5651
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 30.04.2021

Summary

Rocket League is a high-powered hybrid of arcade-style soccer and vehicular mayhem with easy-to-understand controls and fluid, physics-driven competition.

Description

The game suffers from a stack-based buffer overflow vulnerability. The issue is caused due to a boundary error in the processing of a UPK format file, which can be exploited to cause a stack buffer overflow when a user crafts the file with a large array of bytes inserted in the vicinity offset after the magic header. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

0:000> g (3568.230c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: 00007ff64a660424 cd29 int 29h
`
--------------------------------------------------------------------------------

Vendor

Epic Games Inc. - <https://www.epicgames.com> | <https://www.rocketleague.com>
Psyonix, LLC - <https://www.psyonix.com>

Affected Version

<=1.95

Tested On

Microsoft Windows 10

Vendor Status

[25.04.2021] Vulnerability discovered.
[26.04.2021] Vendor contacted.
[26.04.2021] Vendor responds with instructions to open a ticket at HackerOne.
[26.04.2021] ZSL creates a ticket on HackerOne, asking if this is something they can handle or is in scope.
[26.04.2021] HackerOne reviews the question.
[26.04.2021] HackerOne states that RCE due to BoF is in scope but because no PoC provided, closes the ticket.
[28.04.2021] ZSL provides PoC file.
[28.04.2021] HackerOne reopens the ticket, asking further details.
[28.04.2021] ZSL provides further details and video demonstrating the issue.
[30.04.2021] HackerOne states that folder CookedPCConsole is not writable for the Limited user. Administrator privilege is required to inject the payload, therefore, this privilege escalation scenario cannot be accepted as valid. For this scenario to be accepted as a valid RCE scenario, you must be able to inject the payload as a Limited User, and you can execute cmd.exe and demonstrate the privilege escalation scenario.
[30.04.2021] HackerOne closes the ticket and changes the status to Informative.
[30.04.2021] ZSL explains that there are insecure permissions on the folder that can allow payload injection and EoP. Further, through BoF (which is a vulnerability) code execution is possible. ZSL didnโ€™t want to provide weaponized PoC where calc.exe pops, stating that it is sufficient to confirm the issue with provided PoC UPK crash file.
[30.04.2021] Public security advisory released.

PoC

rocketleague_bof.txt
rocketleague_hats.rar

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <https://packetstormsecurity.com/files/162436/Epic-Games-Rocket-League-1.95-Stack-Buffer-Overrun.html&gt;
[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/201129&gt;
[3] <https://vulners.com/cve/CVE-2021-32238&gt;
[4] <https://nvd.nist.gov/vuln/detail/CVE-2021-32238&gt;
[5] <https://ubuntu.com/security/CVE-2021-32238&gt;
[6] <https://security-tracker.debian.org/tracker/CVE-2021-32238&gt;
[7] <https://www.cvedetails.com/cve/CVE-2021-32238/&gt;
[8] <https://vuldb.com/?id.175346&gt;
[9] <https://www.exploit-db.com/exploits/49848&gt;
[10] <https://cxsecurity.com/issue/WLB-2021050075&gt;
[11] <https://exchange.xforce.ibmcloud.com/vulnerabilities/201456&gt;

Changelog

[30.04.2021] - Initial release
[04.05.2021] - Added reference [1] and [2]
[19.06.2021] - Added reference [3], [4], [5], [6], [7], [8], [9], [10] and [11]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun


Vendor: Epic Games Inc. | Psyonix, LLC
Product web page: https://www.epicgames.com
                  https://www.psyonix.com
                  https://www.rocketleague.com
Affected version: &lt;=1.95

Summary: Rocket League is a high-powered hybrid of arcade-style soccer
and vehicular mayhem with easy-to-understand controls and fluid, physics-driven
competition.

Desc: The game suffers from a stack-based buffer overflow vulnerability. The
issue is caused due to a boundary error in the processing of a UPK format file,
which can be exploited to cause a stack buffer overflow when a user crafts the
file with a large array of bytes inserted in the vicinity offset after the magic
header. Successful exploitation could allow execution of arbitrary code on the
affected machine.

Tested on: Microsoft Windows 10


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5651
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php


25.04.2021

--


Craft location: ..\rocketleague\TAGame\CookedPCConsole
Header: C1 83 2A 9E 64 03 1F 00

hat_Headphones_SF.upk:
----------------------
...
...
ModLoad: 00007ff9`99ff0000 00007ff9`9a016000   C:\WINDOWS\system32\ncryptsslp.dll
ModLoad: 00007ff9`32d70000 00007ff9`36a00000   C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_e9f7884f9b4f82b9\igd9dxva64.dll
ModLoad: 00007ff9`315b0000 00007ff9`32d68000   C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvd3dumx.dll
ModLoad: 00000000`00400000 00000000`0041e000   E:\Epic Games\rocketleague\Binaries\Win64\XINPUT1_3.dll
ModLoad: 00007ff9`8dac0000 00007ff9`8db6c000   C:\WINDOWS\SYSTEM32\TextShaping.dll
[0110.33] Log: Timed out while waiting for GPU to catch up. (500 ms)
(62c.1074): Unknown exception - code 00000001 (!!! second chance !!!)
KERNELBASE!RaiseException+0x69:
00007ff9`a0364b59 0f1f440000      nop     dword ptr [rax+rax]
0:024&gt; r
rax=00007ff99feeb925 rbx=0000000000000000 rcx=0000000000000000
rdx=000000214edfe8b0 rsi=000000214edfef50 rdi=000000214edfe700
rip=00007ff9a0364b59 rsp=000000214edfef30 rbp=0000000000000000
 r8=000000214edfedb0  r9=0000000000000000 r10=00000000000000c0
r11=000000214edfee2e r12=0000000000000000 r13=00007ff776205bb0
r14=00007ff776dab710 r15=000000214edff8a0
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000204
KERNELBASE!RaiseException+0x69:
00007ff9`a0364b59 0f1f440000      nop     dword ptr [rax+rax]
0:024&gt; !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Epic Games\rocketleague\Binaries\Win64\EOSSDK-Win64-Shipping.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvwgf2umx.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\Overlay\EOSOVH-Win64-Shipping.dll - 
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2
DUMP_QUALIFIER: 0

FAULTING_IP: 
KERNELBASE!RaiseException+69
00007ffe`d4d64b59 0f1f440000      nop     dword ptr [rax+rax]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffed4d64b59 (KERNELBASE!RaiseException+0x0000000000000069)
   ExceptionCode: 00000001
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  00000490
DEFAULT_BUCKET_ID:  APPLICATION_FAULT
PROCESS_NAME:  RocketLeague.exe
ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1
EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function.
EXCEPTION_CODE_STR:  1
WATSON_BKT_PROCSTAMP:  606f6afa
WATSON_BKT_PROCVER:  1.0.10897.0
PROCESS_VER_PRODUCT:  Rocket League
WATSON_BKT_MODULE:  KERNELBASE.dll
WATSON_BKT_MODSTAMP:  2f2f77bf
WATSON_BKT_MODOFFSET:  34b59
WATSON_BKT_MODVER:  10.0.19041.906
MODULE_VER_PRODUCT:  Microsoftยฎ Windowsยฎ Operating System
BUILD_VERSION_STRING:  10.0.19041.928 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH:  ac197712fdc57f2bb67f9b17107e5701c93b4362
MODLIST_SHA1_HASH:  342698e051c108fd7be71346f5d34f8a14c38381
NTGLOBALFLAG:  0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS:  0
PRODUCT_TYPE:  1
SUITE_MASK:  784
DUMP_TYPE:  fe
ANALYSIS_SESSION_HOST:  LAB17
ANALYSIS_SESSION_TIME:  04-25-2021 13:23:34.0003
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

    ID:     [0n308]
    Type:   [APPLICATION_FAULT]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [Unspecified]
    Frame:  [0]

BUGCHECK_STR:  APPLICATION_FAULT
PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
LAST_CONTROL_TRANSFER:  from 00007ff78f1cbf65 to 00007ffed4d64b59

STACK_TEXT:  
00000089`23dfe910 00007ff7`8f1cbf65 : 00007ff7`9123b710 00000000`000002f8 00007ff7`906e5190 00000089`23dfea20 : KERNELBASE!RaiseException+0x69
00000089`23dfe9f0 00007ff7`8f190215 : 00000089`23dff710 00000089`23dff5d0 00000089`23dff710 00007ffe`d72ee25f : RocketLeague!GetOutermost+0x29245
00000089`23dff250 00007ff7`8f123466 : 00000089`23dff710 00007ff7`906eb668 00000199`6cf33e40 00000089`23dfe828 : RocketLeague!AK::MusicEngine::Term+0xfce95
00000089`23dff4d0 00007ff7`8f1297f9 : 0000019a`00000001 00000000`00000000 00000089`23dff770 00000199`00000001 : RocketLeague!AK::MusicEngine::Term+0x900e6
00000089`23dff6d0 00007ff7`8f1d1e40 : 00000000`00000001 00000000`00000001 0000019a`00000000 00000199`6d26ffd0 : RocketLeague!AK::MusicEngine::Term+0x96479
00000089`23dff850 00007ffe`d6297034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!Scaleform::System::Init+0x11c0
00000089`23dff880 00007ffe`d7302651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000089`23dff8b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

THREAD_SHA1_HASH_MOD_FUNC:  b03d2da27c20caaf2a76cdae45ff251160c76115
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  ff5c11b082c48239ef2666814fc4e06663a8c892
THREAD_SHA1_HASH_MOD:  96a23e97d7538141fe1b904de60919531df8b505

FOLLOWUP_IP: 
RocketLeague!GetOutermost+29245
00007ff7`8f1cbf65 eb13            jmp     RocketLeague!GetOutermost+0x2925a (00007ff7`8f1cbf7a)

FAULT_INSTR_CODE:  8b4813eb
SYMBOL_STACK_INDEX:  1
SYMBOL_NAME:  rocketleague!GetOutermost+29245
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: RocketLeague
IMAGE_NAME:  RocketLeague.exe
DEBUG_FLR_IMAGE_TIMESTAMP:  606f6afa
STACK_COMMAND:  ~24s ; .cxr ; kb
FAILURE_BUCKET_ID:  APPLICATION_FAULT_1_RocketLeague.exe!GetOutermost
BUCKET_ID:  APPLICATION_FAULT_rocketleague!GetOutermost+29245
FAILURE_EXCEPTION_CODE:  1
FAILURE_IMAGE_NAME:  RocketLeague.exe
BUCKET_ID_IMAGE_STR:  RocketLeague.exe
FAILURE_MODULE_NAME:  RocketLeague
BUCKET_ID_MODULE_STR:  RocketLeague
FAILURE_FUNCTION_NAME:  GetOutermost
BUCKET_ID_FUNCTION_STR:  GetOutermost
BUCKET_ID_OFFSET:  29245
BUCKET_ID_MODTIMEDATESTAMP:  606f6afa
BUCKET_ID_MODCHECKSUM:  251425f
BUCKET_ID_MODVER_STR:  1.0.10897.0
BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_
FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
FAILURE_SYMBOL_NAME:  RocketLeague.exe!GetOutermost
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/RocketLeague.exe/1.0.10897.0/606f6afa/KERNELBASE.dll/10.0.19041.906/2f2f77bf/1/00034b59.htm?Retriage=1
TARGET_TIME:  2021-04-25T11:23:44.000Z
OSBUILD:  19042
OSSERVICEPACK:  928
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
OSEDITION:  Windows 10 WinNt SingleUserTS Personal
USER_LCID:  0
OSBUILD_TIMESTAMP:  2022-01-18 11:29:28
BUILDDATESTAMP_STR:  160101.0800
BUILDLAB_STR:  WinBuild
BUILDOSVER_STR:  10.0.19041.928
ANALYSIS_SESSION_ELAPSED_TIME:  795d
ANALYSIS_SOURCE:  UM
FAILURE_ID_HASH_STRING:  um:application_fault_1_rocketleague.exe!getoutermost
FAILURE_ID_HASH:  {ee1c73f7-ce6b-9e4a-8e1b-66937ecee43c}
Followup:     MachineOwner
...
...

(aa0.3818): Unknown exception - code 00000001 (first chance)
(aa0.3818): Unknown exception - code 00000001 (!!! second chance !!!)
KERNELBASE!RaiseException+0x69:
00007ffe`d4d64b59 0f1f440000      nop     dword ptr [rax+rax]
0:024&gt; g
[0188.65] Warning: Warning, Detected data corruption [header] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook.
[0188.65] Critical: appError called: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'
[0188.65] Critical: Windows GetLastError: The operation completed successfully. (0)
[0188.65] Warning: Warning, Detected data corruption [undershoot] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook.
[0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'
[0188.65] Warning: Warning, Detected data corruption [incorrect uncompressed size] calculated 1094795585 bytes, requested 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook.
[0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'
[0188.66] DevBeacon: FWebSocket::ReadCloseReason this=000002B686633200 received opcode CLOSE. Code=1000 Reason=IdleTimeout
[0188.66] DevOnline: EOSSDK-LogEOS: Large tick time detected 22.5409



hat_peanut_SF.upk:
------------------
...
...
0:077&gt; g
(3568.230c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
VCRUNTIME140!memcmp+0xee:
00007ffe`afc812de f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
0:000&gt; r
rax=0000009852afeaf8 rbx=000001a1cc362268 rcx=ffffffff9c71eae4
rdx=0000010951ea4107 rsi=000001a1a49a4107 rdi=0000009852b00000
rip=00007ffeafc812de rsp=0000009852afe9c8 rbp=ffffffff9c71ffec
 r8=ffffffff9c71ffec  r9=00000000000000ff r10=000001a1a49a2bff
r11=0000009852afeaf8 r12=0000000000000000 r13=0000000000000000
r14=0000009852afeaf8 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
VCRUNTIME140!memcmp+0xee:
00007ffe`afc812de f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
0:000&gt; g
(3568.230c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE 
RocketLeague!AK::MemoryMgr::GetPoolName+0x84164:
00007ff6`4a660424 cd29            int     29h
0:000&gt; .exr -1
ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE 
0:000&gt; u 00007ff64a660424
RocketLeague!AK::MemoryMgr::GetPoolName+0x84164:
00007ff6`4a660424 cd29            int     29h
00007ff6`4a660426 488d0d3303f600  lea     rcx,[RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d678 (00007ff6`4b5c0760)]
00007ff6`4a66042d e8ca010000      call    RocketLeague!AK::MemoryMgr::GetPoolName+0x8433c (00007ff6`4a6605fc)
00007ff6`4a660432 488b442438      mov     rax,qword ptr [rsp+38h]
00007ff6`4a660437 4889051a04f600  mov     qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d770 (00007ff6`4b5c0858)],rax
00007ff6`4a66043e 488d442438      lea     rax,[rsp+38h]
00007ff6`4a660443 4883c008        add     rax,8
00007ff6`4a660447 488905aa03f600  mov     qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d710 (00007ff6`4b5c07f8)],rax
0:000&gt; kb 10
 # RetAddr               : Args to Child                                                           : Call Site
00 00007ff6`4a65fdcf     : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164
01 00007ffe`d735207f     : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f
02 00007ffe`d7301454     : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf
03 00007ffe`d7350bae     : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244
04 00007ffe`afc812de     : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e
05 00007ff6`4948a38b     : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe [d:\agent\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 114] 
06 00007ff6`494fe648     : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b
07 00007ff6`494e3e65     : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8
08 fab8446d`6e5edd60     : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5
09 efaf2dc5`69758c3e     : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60
0a fab8446d`6e5edd60     : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e
0b efaf2dc5`69758c3e     : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60
0c fab8446d`6e5edd60     : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e
0d efaf2dc5`69758c3e     : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60
0e fab8446d`6e5edd60     : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e
0f efaf2dc5`69758c3e     : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60
0:000&gt; !analyze -m
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 5640

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 6467

    Key  : Analysis.Init.CPU.mSec
    Value: 400749

    Key  : Analysis.Init.Elapsed.mSec
    Value: 1699165

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 261

    Key  : FailFast.Name
    Value: STACK_COOKIE_CHECK_FAILURE

    Key  : FailFast.Type
    Value: 2

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 215108

    Key  : Timeline.Process.Start.DeltaSec
    Value: 1744

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 1.0.10897.0


NTGLOBALFLAG:  0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE 

FAULTING_THREAD:  0000230c
PROCESS_NAME:  RocketLeague.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR:  c0000409
EXCEPTION_PARAMETER1:  0000000000000002

STACK_TEXT:  
00000098`52afda90 00007ff6`4a65fdcf     : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164
00000098`52afdad0 00007ffe`d735207f     : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f
00000098`52afdb00 00007ffe`d7301454     : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf
00000098`52afdb30 00007ffe`d7350bae     : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244
00000098`52afe240 00007ffe`afc812de     : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e
00000098`52afe9c8 00007ff6`4948a38b     : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe
00000098`52afe9e0 00007ff6`494fe648     : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b
00000098`52afea20 00007ff6`494e3e65     : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8
00000098`52afeab0 fab8446d`6e5edd60     : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5
...
...

STACK_COMMAND:  ~0s ; .cxr ; kb
SYMBOL_NAME:  RocketLeague!AK::MemoryMgr::GetPoolName+84164
MODULE_NAME: RocketLeague
IMAGE_NAME:  RocketLeague.exe
FAILURE_BUCKET_ID:  FAIL_FAST_STACK_BUFFER_OVERRUN_STACK_COOKIE_CHECK_FAILURE_MISSING_GSFRAME_c0000409_RocketLeague.exe!AK::MemoryMgr::GetPoolName
OS_VERSION:  10.0.19041.1
BUILDLAB_STR:  vb_release
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
IMAGE_VERSION:  1.0.10897.0
FAILURE_ID_HASH:  {3e6f3f5b-25bb-68b3-2a5b-232743df7884}
Followup:     MachineOwner
</p></body></html>

Related

prion 1
cve 1
prion
prion
Stack overflow
2021-05-18 15:15:00
cve
cve
CVE-2021-32238
2021-05-18 15:15:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

69.2%

JSON
Related for ZSL-2021-5651
prion1cve1