############################################################### ThreeZee Technology, Inc. Security Advisory #TZT002 ############################################################### Advisory: GameSpy Arcade Arbitrary File Writing Discovered: July 26, 2003 Released: July 31, 2003 Risk: Critical; Allows writing of a file to any location on the victim's system. Author: Mike Kristovich, Security Researcher ThreeZee Technology, Inc. http://www.ThreeZee.com ############################################################### Table of contents: 1) Introduction 2) The Bug 3) Details 4) Fix 5) Philosophy 6) Closing comments _______________________________________________________________ 1) Introduction The problem exists within GSAPAK.EXE, a game update agent which is included by default with the installation of GameSpy Arcade. GameSpy automatically adds three mime types to the list of accepted documents in Internet Explorer and Netscape Navigator, which are: "application/x-gsarcade-usersvc" "application/x-gsarcade-skinpak" "application/x-gsarcade-launch" By default, when a file with the extension of .APK, .arcade or .asn is received, it will be launched by GSAPAK.exe. _______________________________________________________________ 2) The Bug When a user receives a file with the .APK extension, it is actually a simple ZIP file. An attacker could simply construct a ZIP file, and change the path so that it would by extracted into the root directory of the drive, or even the startup directory of Windows. Using this method, it would be quite easy to insert a virus, trojan horse, or pretty much anything one desires, into the victim's system. i.e.: ../../../calc.exe - Would put it in the root directory Because the file is considered an accepted type by browsers, there will be no dialog asking the user to accept or deny receiving it. _______________________________________________________________ 3) Risk If a user were to have JavaScript enabled, the attacker could even add "onLoad=" to an IMG tag on a web page, which would run the file upon the image being loaded. This could have serious consequences on Gaming Forums. This bug does not require GameSpy Arcade to run, or ever have run. It's possible that it has been installed along with a game, and hasn't been touched. This does not make the user safe. GSAPAK.exe is a separate entity in the GameSpy package, and is useful for the purpose they've created it. _______________________________________________________________ 4) Fix GameSpy was notified on July 28, 2003. GameSpy responded very quickly, and they were on their way to fixing the bug within 12 hours of the initial contact. Directory of GameSpy Technology, David Wright, has told TZT that this vulnerability will be fixed in a patch this week. We'd like to thank GameSpy for their extremely fast response and professionalism in handling this matter. Current GameSpy Arcade users should see the patch, and be given the option (possibly required) to update. We suggest the latter. If you have concerns about waiting for the patch, it can be temporarily fixed by removing the above specified accepted documents from the registry. You could also remove GSAPAK.exe, or you could even choose to uninstall GameSpy Arcade until the patch becomes available later this week. _______________________________________________________________ 5) Philosophy GameSpy has hundreds of thousands of users, most of which are using GameSpy Arcade and are vulnerable to this bug. This bug has now been disclosed, and all users should patch their system as soon as the patch is available. Keep in mind, your system will still be vulnerable even if you've installed GameSpy Arcade, but never ran it. _______________________________________________________________ 6) Closing comments We would like to thank GameSpy and David Wright for their prompt handling of the bug report, again. _______________________________________________________________ 7) Contact Questions, comments, complaints: Mike Kristovich, Security Researcher ThreeZee Technology, Inc. http://www.ThreeZee.com zzz@threezee.com Press inquiries: press@threezee.com