Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability

Title: Carom3D 5.06 Unicode Buffer Overrun/DoS Vulnerability
Advisory ID: ZSL-2009-4916
Type: Local/Remote
Impact: System Access, DoS
Risk: (2/5)
Release Date: 16.06.2009
Summary
Carom 3D is an online multi-user billiard game created with special 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8 ball and other Billiard games to life.
Description
The world famous korean game Carom3D suffers from a buffer overflow and a denial of service vulnerability. The BoF is triggered at runtime when we append 218 > bytes as an argument. ~1000 bytes overwrites SEH. The denial of service is triggered when a user creates a LAN Game (cred. needed), creates a room and awaits other players to join the game. While awaiting (listening on TCP port 28012), with a simple HTTP GET/POST, an attacker can lockdown the GUI of the user created the room, not alowing to start or even exit the game's GUI, unless forced quit (X).
Vendor
Neoact Co. Ltd. - http://www.carom3d.com
Affected Version
5.06
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
carom3d.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.milw0rm.com/exploits/8971
[2] http://packetstormsecurity.org/filedesc/carom3d-dos.txt.html
[3] http://securityreason.com/exploitalert/6430
[4] http://sebug.net/exploit/11631/
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2173
[6] http://xforce.iss.net/xforce/xfdb/51219
[7] http://securityreason.com/securityalert/5950
Changelog
[16.06.2009] - Initial release
[25.06.2009] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk