← Advisories

Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability

High
Advisory ID
ZSL-2014-5187
Release Date
17 June 2014
Vendor
Ubisoft Entertainment S.A. - http://www.ubi.com
Affected Version
1.2.103716, 1.1.100477 and 1.0.95278
CVE
CVE-2014-4334
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)
Summary

Rayman Legends is a 2013 platform game developed by Ubisoft Montpellier and published by Ubisoft. It is the fifth main title in the Rayman series and the direct sequel to the 2011 game Rayman Origins. The game was released for Microsoft Windows, Xbox 360, PlayStation 3, Wii U, and PlayStation Vita platforms in August and September 2013. PlayStation 4 and Xbox One versions were released in February 2014.

Description

The vulnerability is caused due to a memset() boundary error in the processing of incoming data thru raw socket connections on TCP port 1001, which can be exploited to cause a stack based buffer overflow by sending a long string of bytes on the second connection. Successful exploitation could allow execution of arbitrary code on the affected node.

(15a8.f0c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000 eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 MSVCR100!memset+0x5f: 715e26df f3ab rep stos dword ptr es:[edi] 0:028> d esp 0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd........... 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB"...PBK. 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(....... 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L... 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<... 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA 0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB 0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
Proof of Concept
gloogloo.plTXT
Disclosure Timeline
22.05.2014Vulnerability discovered.
23.05.2014Vendor contacted.
25.05.2014Vendor responds forwarding communication to security department.
26.05.2014Vendor replies asking more details.
26.05.2014Sent details to the vendor.
27.05.2014Vendor confirms the vulnerability, scheduling a patch release date.
17.06.2014Vendor releases Patch 1.02.140380 (Rayman Legends 1.3.140380) to address this issue.
17.06.2014Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Marc-Andre!
References
[1]https://support.ubi.com/en-gb/FAQ.aspx?platformid=9&brandid=210&productid=4328&faqid=kA030000000eaKDCAY
[2]http://packetstormsecurity.com/files/127133
[3]http://www.exploit-db.com/exploits/33804/
[4]http://cxsecurity.com/issue/WLB-2014060096
[5]http://osvdb.org/show/osvdb/108219
[6]http://www.securityfocus.com/bid/68080
[7]http://1337day.com/exploit/22343
[8]http://www.vfocus.net/art/20140618/11587.html
[9]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4334
[10]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4334
[11]http://xforce.iss.net/xforce/xfdb/93888
[12]http://secunia.com/advisories/59273/
Changelog
17.06.2014Initial release
18.06.2014Added reference [2], [3], [4], [5] and [6]
19.06.2014Added reference [7] and [8]
20.06.2014Added reference [9] and [10]
05.07.2014Added reference [11]
05.10.2014Added reference [12]