AOH :: HP Unsorted Nums :: BX3582.HTM

5th street format string vuln



Format string vulnerability in 5th street
Format string vulnerability in 5th street



This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF99AD827D3F83DC3DE7334E1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

BLUE MOON SECURITY ADVISORY 2008-07
==================================

:Title: Format string vulnerability in 5th street (Hot Step, High Street 5)
:Severity: Critical
:Reporter: Blue Moon Consulting, superkhung
:Products: 5th street and derived clients
:Fixed in: --


Description
-----------

5th street is a massively multiplayer online dance game produced by
Snail Game and distributed in countries such as Malaysia, Singapore and
Vietnam under different names High Street 5, Hot Step.

5th street contains a format string vulnerability in its
``dx8render.dll`` module. Before a chat message is rendered in a
balloon, this message is used as a format string in a call to
``vsnwprintf`` function.

This vulnerability allows an attacker to remotely and instantly crash
other players' clients. If carefully exploited, this will also lead to
arbitrary code execution on the target machine.

Workaround
----------

There is no workaround.

Fix
---

Customers are advised to contact your local game distributor in order to
obtain a proper fix.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0
`_ in notifying vendors. 

:Initial vendor contact:

June 15, 2008: Initial contact sent to overseas@snailgame.net 

  June 17, 2008: Another request for communication sent to
overseas@snailgame.net and local game distributors 

:Vendor response:

  June 17, 2008: Further communication requested to be sent to James
Gaoyu of Snail Game

:Further communication:

  June 17, 2008: Technical details and request for estimated time of a
patch sent to James Gaoyu

  June 22, 2008: Request for estimated time of a patch sent to James Gaoyu

  June 23, 2008: Alert sent to local game distributors

:Public disclosure: June 25, 2008

:Exploit code: Send a chat message containing ``%5000000.x``

Disclaimer
----------

The information provided in this advisory is provided "as is" without
warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. Your use of the
information on the advisory or materials linked from the advisory is at
your own risk. Blue Moon Consulting Co., Ltd reserves the right to
change or update this notice at any time.


--------------enigF99AD827D3F83DC3DE7334E1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkhiIeEACgkQbKzcTD214ZcNbQCcDN5c0dyA4nsB3ajlIi0C+pl6
Rt8AnjBV9I7E8YuQCxXniPkk1Qz6R/Yq
=si1M
-----END PGP SIGNATURE-----

--------------enigF99AD827D3F83DC3DE7334E1--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.