← Advisories

Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability

Low

Advisory ID

ZSL-2009-4916

Release Date

16 June 2009

Vendor

Neoact Co. Ltd. - http://www.carom3d.com

Affected Version

5.06

CVE

CVE-2009-2173

Tested On

Microsoft Windows XP Professional SP3 (English)

Summary

Carom 3D is an online multi-user billiard game created with special 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8 ball and other Billiard games to life.

Description

The world famous korean game Carom3D suffers from a buffer overflow and a denial of service vulnerability. The BoF is triggered at runtime when we append 218 > bytes as an argument. ~1000 bytes overwrites SEH. The denial of service is triggered when a user creates a LAN Game (cred. needed), creates a room and awaits other players to join the game. While awaiting (listening on TCP port 28012), with a simple HTTP GET/POST, an attacker can lockdown the GUI of the user created the room, not alowing to start or even exit the game's GUI, unless forced quit (X).

Proof of Concept

carom3d.plTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.milw0rm.com/exploits/8971

[2]http://packetstormsecurity.org/filedesc/carom3d-dos.txt.html

[3]http://securityreason.com/exploitalert/6430

[4]http://sebug.net/exploit/11631/

[5]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2173

[6]http://xforce.iss.net/xforce/xfdb/51219

[7]http://securityreason.com/securityalert/5950

Changelog

16.06.2009Initial release

25.06.2009Added reference [7]