info@coresecurity.com  | +1.617.399.6980 | Contact Us

• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

Home :: CoreLabs Research :: Advisories

Advisories

• CoreLabs Research

• CoreLabs Overview

• Research Projects

• Advisories

• Publications
  • Presentations and Papers
  • Journals and Magazines
  • Internet Articles

• Open Source Projects

• CoreLabs Extranet Site

1. Advisory Information

Title: StoneTrip S3DPlayers remote command injection
Advisory Id: CORE-2009-0401
Advisory URL: http://www.coresecurity.com/content/StoneTrip-S3DPlayers
Date published: 2009-05-28
Date of last update: 2010-05-18
Vendors contacted: StoneTrip
Release mode: User release

2. Vulnerability Information

Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2009-1792
Bugtraq ID: 35105

3. Vulnerability Description

Ston3D is a cross-platform technology developed by StoneTrip [1], allowing applications developed with ShiVa product [2] to be run from various media. It is a platform for 3D real time development, specially designed to make games and other real time applications.

Ston3D players come in two flavors:

1. Ston3D StandalonePlayer,
2. and Ston3D WebPlayer, which runs like an extension or plug-in within most popular web browsers.

These players are vulnerable to a command injection vulnerability, which can be exploited by malicious remote attackers. The vulnerability is due to the Ston3D scripting language. It provides the function system.openURL() which does not properly sanitize the input before using it. This can be exploited to execute arbitrary commands with the privileges of the Stone3D player by opening a specially crafted file.

4. Vulnerable packages

4.1. Win32

• S3DPlayer Web v1.6.0.0
• S3DPlayer StandAlone v1.6.2.4
• S3DPlayer StandAlone v1.7.0.1

4.2. MacOS

• S3DPlayer Web v1.6.0.0
• S3DPlayer StandAlone v1.6.2.4

4.3. Linux

• S3DPlayer StandAlone v1.6.2.4

NOTE: Older versions are probably affected too, but they were not checked.

5. Non-vulnerable packages

The vulnerability has been fixed since 1.8 release (September 09). Please, contact StoneTrip for additional information.

6. Vendor Information, Solutions and Workarounds

The vendor did not provide this information. A possible mitigation action would be to enable MIME type filtering in your IDS/proxies and block S3DPlayer traffic:

application/x-ston3d-stk[+ full code]

As a workaround, vulnerable users can also avoid this flaw by disabling the Ston3D Plugin in their web browsers:

6.1. Mozilla Firefox

1. Go to the Tools menu, and select Options...
2. Click on the Main tab
3. Click on the Manage Add-ons...
4. Disable Ston3D Plugin

6.2. Safari

1. Go to the Safari menu within Safari, and select Preferences
2. Click on the Security tab
3. Deselect Enable plug-ins

6.3. Internet Explorer

Set the kill bit for control 7508D2BB-F085-45BF-8261-167C6DF4D477 (as explained in http://support.microsoft.com/kb/240797).

Please contact StoneTrip for further information, patches and workarounds.

7. Credits

This vulnerability was discovered and researched by Diego Juarez from Core Security Technologies.

8. Technical Description / Proof of Concept Code

Ston3D is a cross-platform technology allowing applications developed with ShiVa product [2] to be run from various media, such as a website, CD/DVD or interactive equipment. This technology provides a scripting interface [3] based on the Lua programming language, within this interface the function system.openURL is defined as follows:

Prototype system.openURL(sURL, sTarget) --Call this function to open an URL. [+ full code]

In the current implementation, the call system.openURL(sURL, sTarget) with the parameter sURL set as file://path/command will ultimately execute the equivalent of calling

system("open path/command");[+ full code]

By using platform specific delimiter characters this could allow arbitrary code execution in the context of the player.

Find below the relevant code snippets from various platforms.

8.1. Windows

.text:1000D64D test esi, esi .text:1000D64F mov eax, esi .text:1000D651 jnz short loc_1000D658 .text:1000D653 .text:1000D653 loc_1000D653: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1CB .text:1000D653 mov eax, offset Name .text:1000D658 .text:1000D658 loc_1000D658: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1D1 .text:1000D658 push 1 .text:1000D65A push offset Name ; lpDirectory .text:1000D65F push ecx ; lpParameters .text:1000D660 push eax ; lpFile .text:1000D661 push offset Operation ; "open" .text:1000D666 push 0 ; hwnd .text:1000D668 call ds:ShellExecuteA .text:1000D66E .text:1000D66E loc_1000D66E: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const &,Pandora::EngineCore::String const &)+1B0 .text:1000D66E test edi, edi .text:1000D670 jbe short loc_1000D67F .text:1000D672 test esi, esi .text:1000D674 jz short loc_1000D67F .text:1000D676 add esi, 0FFFFFFFCh .text:1000D679 push esi ; Memory .text:1000D67A call ebp ; __imp_free [+ full code]

8.2. Linux

.text:08371334 mov [esp+5Ch+var_58], offset aOpen ; "open " .text:0837133C lea eax, [esp+5Ch+var_34] .text:08371340 mov [esp+5Ch+command], eax .text:08371343 call sub_8109FC0 .text:08371348 lea eax, [esp+5Ch+var_1C] .text:0837134C mov [esp+5Ch+var_58], eax .text:08371350 lea eax, [esp+5Ch+var_34] .text:08371354 mov [esp+5Ch+command], eax .text:08371357 call sub_8108F10 .text:0837135C lea eax, [esp+5Ch+var_34] .text:08371360 mov [esp+5Ch+command], eax .text:08371363 call sub_80DF660 .text:08371368 mov [esp+5Ch+command], eax .text:0837136B call _system .text:08371370 lea eax, [esp+5Ch+var_34] .text:08371374 mov [esp+5Ch+command], eax .text:08371377 call sub_80D92F0 .text:0837137C jmp short loc_8371398 [+ full code]

8.3. MacOSX (x86)

__text:0005995B lea eax, (aOpen - 597ECh)[ebx] ; "open " __text:00059961 lea esi, [esp+5Ch+var_44] __text:00059965 mov [esp+5Ch+var_58], eax __text:00059969 mov [esp+5Ch+var_5C], esi __text:0005996C call __ZN7Pandora10EngineCore6StringC1EPKc ; Pandora::EngineCore::String::String(char const*) __text:00059971 mov [esp+5Ch+var_58], edi __text:00059975 mov [esp+5Ch+var_5C], esi __text:00059978 call __ZN7Pandora10EngineCore6StringpLERKS1_ __text:0005997D mov edx, [esp+5Ch+var_44] __text:00059981 test edx, edx __text:00059983 jz loc_59A5F __text:00059989 mov eax, [esp+5Ch+var_40] __text:0005998D test eax, eax __text:0005998F jz loc_59A5F __text:00059995 __text:00059995 loc_59995: ; CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+295 __text:00059995 mov [esp+5Ch+var_5C], eax __text:00059998 call _system __text:0005999D mov eax, [esp+5Ch+var_44] __text:000599A1 test eax, eax __text:000599A3 jnz loc_59AB2 __text:000599A9 nop dword ptr [eax+00000000h] [+ full code]

8.4. MacOSX (PPC)

__text:00053D6C addi %r30, %sp, 0x90+var_38 __text:00053D70 addis %r4, %r31, 0x3F __text:00053D74 addi %r4, %r4, -0x29DC __text:00053D78 mr %r3, %r30 __text:00053D7C bl __ZN7Pandora10EngineCore6StringC1EPKc # Pandora::EngineCore::String::String(char const*) __text:00053D80 mr %r3, %r30 __text:00053D84 mr %r4, %r29 __text:00053D88 bl __ZN7Pandora10EngineCore6StringpLERKS1_ __text:00053D8C lwz %r0, 0x90+var_38(%sp) __text:00053D90 cmpwi cr7, %r0, 0 __text:00053D94 beq cr7, loc_53DA4 __text:00053D98 lwz %r3, 0x90+var_34(%sp) __text:00053D9C cmpwi cr7, %r3, 0 __text:00053DA0 bc 5, 4*cr7+eq, loc_53DAC __text:00053DA4 __text:00053DA4 loc_53DA4: # CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+394 __text:00053DA4 addis %rtoc, %r31, 0x3F __text:00053DA8 addi %r3, %rtoc, -0x5620 __text:00053DAC __text:00053DAC loc_53DAC: # CODE XREF: Pandora::ClientCore::HTTPConnectionManager::OpenURL(Pandora::EngineCore::String const&,Pandora::EngineCore::String const&)+3A0 __text:00053DAC bl _system __text:00053DB0 lwz %r0, 0x90+var_38(%sp) __text:00053DB4 cmpwi cr7, %r0, 0 __text:00053DB8 beq cr7, loc_53E24 __text:00053DBC b loc_53DF8 [+ full code]

9. Report Timeline

• 2009-04-20: Core Security Technologies notifies the StoneTrip team of the vulnerability and announces its initial plan to publish the content on May 18th, 2009.
• 2009-04-21: The vendor asks Core for a technical description of the vulnerability.
• 2009-04-23: Technical details sent to StoneTrip team by Core.
• 2009-04-24: In addition to the technical details, a Proof of Concept was sent to StoneTrip team.
• 2009-04-28: Core asks the vendor to confirm the reception of the technical report.
• 2009-04-28: StoneTrip team notifies that the technical report has been received and that a vulnerability report will be sent to Core soon.
• 2009-05-07: Core requests a status update for this vulnerability and notifies its plan to publish the advisory on May 18th, 2009. No reply received.
• 2009-05-15: Core requests an answer to the previous mail. No reply received.
• 2009-05-18: Core Advisories Team does not release the advisory as originally planned. Core re-schedules the advisory publication date to 26th May 2009.
• 2009-05-20: Core notifies StoneTrip that the advisory publication date was missed and that the last status requests were not replied. Core also notifies the vendor of the final release date (26th May 2009).
• 2009-05-28: After trying to contact the StoneTrip team several times without success, the advisory CORE-2009-0401 is published as 'User Release'.
• 2009-12-09: StoneTrip team notifies that the vulnerability has been fixed since 1.8 release (September 09).

10. References

[1] http://www.stonetrip.com.
[2] ShiVa, a platform for 3D real time development with focus in game development http://www.stonetrip.com/shiva/.
[3] http://stdn.stonetrip.com.

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Related Content