Format string vulnerability in 5th street

2008.07.12
Credit: Nam Nguyen
Risk: High
Local: No
Remote: Yes
CWE: CWE-134


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

BLUE MOON SECURITY ADVISORY 2008-07 =================================== :Title: Format string vulnerability in 5th street (Hot Step, High Street 5) :Severity: Critical :Reporter: Blue Moon Consulting, superkhung :Products: 5th street and derived clients :Fixed in: -- Description ----------- 5th street is a massively multiplayer online dance game produced by Snail Game and distributed in countries such as Malaysia, Singapore and Vietnam under different names High Street 5, Hot Step. 5th street contains a format string vulnerability in its ``dx8render.dll`` module. Before a chat message is rendered in a balloon, this message is used as a format string in a call to ``vsnwprintf`` function. This vulnerability allows an attacker to remotely and instantly crash other players' clients. If carefully exploited, this will also lead to arbitrary code execution on the target machine. Workaround ---------- There is no workaround. Fix --- Customers are advised to contact your local game distributor in order to obtain a proper fix. Disclosure ---------- Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors. :Initial vendor contact: June 15, 2008: Initial contact sent to overseas (at) snailgame (dot) net [email concealed] June 17, 2008: Another request for communication sent to overseas (at) snailgame (dot) net [email concealed] and local game distributors :Vendor response: June 17, 2008: Further communication requested to be sent to James Gaoyu of Snail Game :Further communication: June 17, 2008: Technical details and request for estimated time of a patch sent to James Gaoyu June 22, 2008: Request for estimated time of a patch sent to James Gaoyu June 23, 2008: Alert sent to local game distributors :Public disclosure: June 25, 2008 :Exploit code: Send a chat message containing ``%5000000.x`` Disclaimer ---------- The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkhiIeEACgkQbKzcTD214ZcNbQCcDN5c0dyA4nsB3ajlIi0C+pl6 Rt8AnjBV9I7E8YuQCxXniPkk1Qz6R/Yq =si1M -----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/43370
http://www.securityfocus.com/bid/29928
http://www.securityfocus.com/archive/1/archive/1/493649/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top