Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability

Title: Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
Advisory ID: ZSL-2014-5187
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 17.06.2014
Summary
Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. It is the fifth main title in the Rayman series and the direct sequel to the 2011 game Rayman Origins. The game was released for Microsoft Windows, Xbox 360, PlayStation 3, Wii U, and PlayStation Vita platforms in August and September 2013. PlayStation 4 and Xbox One versions were released in February 2014.
Description
The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node.

--------------------------------------------------------------------------------

(15a8.f0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000
eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
MSVCR100!memset+0x5f:
715e26df f3ab rep stos dword ptr es:[edi]
0:028> d esp
0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd...........
0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB"...PBK.
0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(.......
0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L...
0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<...
0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA
0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB
0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC

--------------------------------------------------------------------------------

Vendor
Ubisoft Entertainment S.A. - http://www.ubi.com
Affected Version
1.2.103716, 1.1.100477 and 1.0.95278
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[22.05.2014] Vulnerability discovered.
[23.05.2014] Vendor contacted.
[25.05.2014] Vendor responds forwarding communication to security department.
[26.05.2014] Vendor replies asking more details.
[26.05.2014] Sent details to the vendor.
[27.05.2014] Vendor confirms the vulnerability, scheduling a patch release date.
[17.06.2014] Vendor releases Patch 1.02.140380 (Rayman Legends 1.3.140380) to address this issue.
[17.06.2014] Coordinated public security advisory released.
PoC
gloogloo.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Marc-Andre!
References
[1] https://support.ubi.com/en-gb/FAQ.aspx?platformid=9&brandid=210&productid=4328&faqid=kA030000000eaKDCAY
[2] http://packetstormsecurity.com/files/127133
[3] http://www.exploit-db.com/exploits/33804/
[4] http://cxsecurity.com/issue/WLB-2014060096
[5] http://osvdb.org/show/osvdb/108219
[6] http://www.securityfocus.com/bid/68080
[7] http://1337day.com/exploit/22343
[8] http://www.vfocus.net/art/20140618/11587.html
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4334
[10] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4334
[11] http://xforce.iss.net/xforce/xfdb/93888
[12] http://secunia.com/advisories/59273/
Changelog
[17.06.2014] - Initial release
[18.06.2014] - Added reference [2], [3], [4], [5] and [6]
[19.06.2014] - Added reference [7] and [8]
[20.06.2014] - Added reference [9] and [10]
[05.07.2014] - Added reference [11]
[05.10.2014] - Added reference [12]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk