J-Security Center

Title: Gamespy Arcade GSAPAK.EXE .APK Extraction File Corruption Vulnerability

Severity: HIGH

Description:

Gamespy Arcade is an application designed to facilitate multiplayer online arcade gaming. This is implemented through the use of a custom browser, internet messaging, and an integrated connection to the GameSpy network.

Upon installing Gamespy Arcade the MIME types of Internet Explorer and Netscape Navigator will be updated to handle a variety of Gamespy-related files. One of which file types, .APK, is handled by the GSAPAK.EXE component. It should be noted that as this file is included as a known file within the browser's MIME types, it would be handled without prompting for user input or verification.

The .APK file is simply a compressed ZIP archive and is extracted by the GSAPAK.EXE component. A flaw in this component has been discovered that could potentially allow an attacker to overwrite arbitrary system files.

The problem lies in GSAPAK.EXE failing to verify the integrity of archived file names, effectively allowing for names to include directory traversal sequences (../). As a result, extracting these files could potentially result in the corruption of key system files, outside of the established directory defined by the browser.

It should be noted that GSAPAK.EXE would be invoked with the privileges of the user running the browser. It should also be noted that this vulnerability can be triggered even when Gamespy Arcade is not running, as GSAPAK.EXE is a separate entity from the core executable.

Affected Products:

  • GameSpy Arcade

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.