-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

       StoneTrip S3DPlayers remote command injection


1. *Advisory Information*

Title: StoneTrip S3DPlayers remote command injection
Advisory ID: CORE-2009-0401
Advisory URL: http://www.coresecurity.com/content/StoneTrip-S3DPlayers
Date published: 2009-05-28
Date of last update: 2009-05-28
Vendors contacted: StoneTrip
Release mode: User release


2. *Vulnerability Information*

Class: Command injection, Client side
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35105
CVE Name: CVE-2009-1792


3. *Vulnerability Description*

Ston3D is a cross-platform technology developed by StoneTrip [1],
allowing applications developed with ShiVa product [2] to be run from
various media. It is a platform for 3D real time development, specially
designed to make games and other real time applications.

Ston3D players come in two flavors:

   1. Ston3D StandalonePlayer [3],
   2. and Ston3D WebPlayer [4], which runs like an extension or plug-in
within most popular web browsers.

These players are vulnerable to a command injection vulnerability, which
can be exploited by malicious remote attackers. The vulnerability is due
to the Ston3D scripting language. It provides the function
'system.openURL()' which does not properly sanitize the input before
using it. This can be exploited to execute arbitrary commands with the
privileges of the Stone3D player by opening a specially crafted file.


4. *Vulnerable packages*

4.1. *Win32*

   . S3DPlayer Web v1.6.0.0
   . S3DPlayer StandAlone v1.6.2.4
   . S3DPlayer StandAlone v1.7.0.1

4.2. *MacOS*

   . S3DPlayer Web v1.6.0.0
   . S3DPlayer StandAlone v1.6.2.4

4.3. *Linux*

   . S3DPlayer StandAlone v1.6.2.4

NOTE: Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

By the time this advisory was published, the vendor:

   1. had not released patched versions of its products,
   2. had not answered the requests made by Core Security for 3 weeks
(see Section 9).

Please contact StoneTrip for a fix.


6. *Vendor Information, Solutions and Workarounds*

The vendor did not provide this information. A possible mitigation
action would be to enable MIME type filtering in your IDS/proxies and
block S3DPlayer traffic:

/-----------

application/x-ston3d-stk
- -----------/

As a workaround, vulnerable users can also avoid this flaw by disabling
the Ston3D Plugin in their web browsers:


6.1. *Mozilla Firefox*

   1. Go to the *Tools* menu, and select *Options...*
   2. Click on the *Main* tab
   3. Click on the *Manage Add-ons...*
   4. Disable *Ston3D Plugin*


6.2. *Safari*

   1. Go to the *Safari* menu within Safari, and select *Preferences*
   2. Click on the *Security * tab
   3. Deselect *Enable plug-ins*


6.3. *Internet Explorer*

Set the kill bit for control 7508D2BB-F085-45BF-8261-167C6DF4D477 (as
explained in http://support.microsoft.com/kb/240797).

Please contact StoneTrip for further information, patches and workarounds.


7. *Credits*

This vulnerability was discovered and researched by Diego Juarez from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

Ston3D is a cross-platform technology allowing applications developed
with ShiVa product [2] to be run from various media, such as a website,
CD/DVD or interactive equipment. This technology provides a scripting
interface [5] based on the Lua programming language, within this
interface the function 'system.openURL' is defined as follows:

/-----------

Prototype
system.openURL(sURL, sTarget)    --Call this function to open an URL.

- -----------/

In the current implementation, the call 'system.openURL(sURL, sTarget)'
with the parameter 'sURL' set as 'file://path/command' will ultimately
execute the equivalent of calling

/-----------
system("open path/command");
- -----------/

 By using platform specific delimiter characters this could allow
arbitrary code execution in the context of the player.

Find below the relevant code snippets from various platforms.


8.1. *Windows*

/-----------

.text:1000D64D    test    esi, esi
.text:1000D64F    mov     eax, esi
.text:1000D651    jnz     short loc_1000D658
.text:1000D653
.text:1000D653 loc_1000D653:                ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1CB
.text:1000D653    mov     eax, offset Name
.text:1000D658
.text:1000D658 loc_1000D658:                ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1D1
.text:1000D658    push    1
.text:1000D65A    push    offset Name       ; lpDirectory
.text:1000D65F    push    ecx               ; lpParameters
.text:1000D660    push    eax               ; lpFile
.text:1000D661    push    offset Operation  ; "open"
.text:1000D666    push    0                 ; hwnd
.text:1000D668    call    ds:ShellExecuteA
.text:1000D66E
.text:1000D66E loc_1000D66E:                ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
const &,Pandora::EngineCore::String const &)+1B0
.text:1000D66E    test    edi, edi
.text:1000D670    jbe     short loc_1000D67F
.text:1000D672    test    esi, esi
.text:1000D674    jz      short loc_1000D67F
.text:1000D676    add     esi, 0FFFFFFFCh
.text:1000D679    push    esi               ; Memory
.text:1000D67A    call    ebp               ; __imp_free

- -----------/


8.2. *Linux*

/-----------

.text:08371334    mov     [esp+5Ch+var_58], offset aOpen ; "open "
.text:0837133C    lea     eax, [esp+5Ch+var_34]
.text:08371340    mov     [esp+5Ch+command], eax
.text:08371343    call    sub_8109FC0
.text:08371348    lea     eax, [esp+5Ch+var_1C]
.text:0837134C    mov     [esp+5Ch+var_58], eax
.text:08371350    lea     eax, [esp+5Ch+var_34]
.text:08371354    mov     [esp+5Ch+command], eax
.text:08371357    call    sub_8108F10
.text:0837135C    lea     eax, [esp+5Ch+var_34]
.text:08371360    mov     [esp+5Ch+command], eax
.text:08371363    call    sub_80DF660
.text:08371368    mov     [esp+5Ch+command], eax
.text:0837136B    call    _system
.text:08371370    lea     eax, [esp+5Ch+var_34]
.text:08371374    mov     [esp+5Ch+command], eax
.text:08371377    call    sub_80D92F0
.text:0837137C    jmp     short loc_8371398

- -----------/


8.3. *MacOSX (x86)*

/-----------

__text:0005995B   lea     eax, (aOpen - 597ECh)[ebx] ; "open "
__text:00059961   lea     esi, [esp+5Ch+var_44]
__text:00059965   mov     [esp+5Ch+var_58], eax
__text:00059969   mov     [esp+5Ch+var_5C], esi
__text:0005996C   call    __ZN7Pandora10EngineCore6StringC1EPKc ;
Pandora::EngineCore::String::String(char  const*)
__text:00059971   mov     [esp+5Ch+var_58], edi
__text:00059975   mov     [esp+5Ch+var_5C], esi
__text:00059978   call    __ZN7Pandora10EngineCore6StringpLERKS1_
__text:0005997D   mov     edx, [esp+5Ch+var_44]
__text:00059981   test    edx, edx
__text:00059983   jz      loc_59A5F
__text:00059989   mov     eax, [esp+5Ch+var_40]
__text:0005998D   test    eax, eax
__text:0005998F   jz      loc_59A5F
__text:00059995
__text:00059995 loc_59995:                              ; CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
 const&,Pandora::EngineCore::String  const&)+295
__text:00059995   mov     [esp+5Ch+var_5C], eax
__text:00059998   call    _system
__text:0005999D   mov     eax, [esp+5Ch+var_44]
__text:000599A1   test    eax, eax
__text:000599A3   jnz     loc_59AB2
__text:000599A9   nop     dword ptr [eax+00000000h]

- -----------/


8.4. *MacOSX (PPC)*

/-----------

__text:00053D6C   addi    %r30, %sp, 0x90+var_38
__text:00053D70   addis   %r4, %r31, 0x3F
__text:00053D74   addi    %r4, %r4, -0x29DC
__text:00053D78   mr      %r3, %r30
__text:00053D7C   bl      __ZN7Pandora10EngineCore6StringC1EPKc #
Pandora::EngineCore::String::String(char  const*)
__text:00053D80   mr      %r3, %r30
__text:00053D84   mr      %r4, %r29
__text:00053D88   bl      __ZN7Pandora10EngineCore6StringpLERKS1_
__text:00053D8C   lwz     %r0, 0x90+var_38(%sp)
__text:00053D90   cmpwi   cr7, %r0, 0
__text:00053D94   beq     cr7, loc_53DA4
__text:00053D98   lwz     %r3, 0x90+var_34(%sp)
__text:00053D9C   cmpwi   cr7, %r3, 0
__text:00053DA0   bc      5, 4*cr7+eq, loc_53DAC
__text:00053DA4
__text:00053DA4 loc_53DA4:                              # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
 const&,Pandora::EngineCore::String  const&)+394
__text:00053DA4   addis   %rtoc, %r31, 0x3F
__text:00053DA8   addi    %r3, %rtoc, -0x5620
__text:00053DAC
__text:00053DAC loc_53DAC:                              # CODE XREF:
Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String
 const&,Pandora::EngineCore::String  const&)+3A0
__text:00053DAC   bl      _system
__text:00053DB0   lwz     %r0, 0x90+var_38(%sp)
__text:00053DB4   cmpwi   cr7, %r0, 0
__text:00053DB8   beq     cr7, loc_53E24
__text:00053DBC   b       loc_53DF8

- -----------/


9. *Report Timeline*

. 2009-04-20:
Core Security Technologies notifies the StoneTrip team of
the vulnerability and announces its initial plan to publish the content
on May 18th, 2009.

. 2009-04-21:
The vendor asks Core for a technical description of the
vulnerability.

. 2009-04-23:
Technical details sent to StoneTrip team by Core.

. 2009-04-24:
In addition to the technical details, a Proof of Concept
was sent to StoneTrip team.

. 2009-04-28:
Core asks the vendor to confirm the reception of the
technical report.

. 2009-04-28:
StoneTrip team notifies that the technical report has been
received and that a vulnerability report will be sent to Core soon.

. 2009-05-07:
Core requests a status update for this vulnerability and
notifies its plan to publish the advisory on May 18th, 2009. No reply
received.

. 2009-05-15:
Core requests an answer to the previous mail. No reply
received.

. 2009-05-18:
Core Advisories Team does not release the advisory as
originally planned. Core re-schedules the advisory publication date to
26th May 2009.

. 2009-05-20:
Core notifies StoneTrip that the advisory publication date
was missed and that the last status requests were not replied. Core also
notifies the vendor of the final release date (26th May 2009).

. 2009-05-28:
After trying to contact the StoneTrip team several times
without success, the advisory CORE-2009-0401 is published as 'User
Release'.


10. *References*

[1] http://www.stonetrip.com.
[2] ShiVa, a platform for 3D real time development with focus in game
development
http://www.stonetrip.com/shiva/shiva-3d-game-engine.html.
[3] http://www.stonetrip.com/ston3d-players/ston3d-standalone.html.
[4] http://www.stonetrip.com/ston3d-players/ston3d-webplayer.html.
[5] http://stdn.stonetrip.com.


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKHuAiyNibggitWa0RAgJTAJsEXfUBmIjxmY7X4hplONY/Z0DOJgCfUKxJ
F9s8R8PuYBiIhvLANh3XmhE=
=kU8D
-----END PGP SIGNATURE-----