###############################################################
ThreeZee Technology, Inc.       Security Advisory    #TZT002
###############################################################

Advisory:        GameSpy Arcade Arbitrary File Writing

Discovered:      July 26, 2003
Released:        July 31, 2003

Risk:            Critical; Allows writing of a file to any
                 location on the victim's system.

Author:          Mike Kristovich, Security Researcher
                 ThreeZee Technology, Inc. 
                 http://www.ThreeZee.com

############################################################### 

Table of contents:

1)    Introduction
2)    The Bug
3)    Details
4)    Fix
5)    Philosophy
6)    Closing comments

_______________________________________________________________

1) Introduction
 
The problem exists within GSAPAK.EXE, a game update agent which 
is included by default with the installation of GameSpy Arcade. 

GameSpy automatically adds three mime types to the list of 
accepted documents in Internet Explorer and Netscape Navigator,
which are:

"application/x-gsarcade-usersvc"
"application/x-gsarcade-skinpak"
"application/x-gsarcade-launch" 

By default, when a file with the extension of .APK, .arcade or 
.asn is received, it will be launched by GSAPAK.exe.

_______________________________________________________________

2) The Bug

When a user receives a file with the .APK extension, it is
actually a simple ZIP file.  An attacker could simply construct
a ZIP file, and change the path so that it would by extracted 
into the root directory of the drive, or even the startup 
directory of Windows.

Using this method, it would be quite easy to insert a virus,
trojan horse, or pretty much anything one desires, into the
victim's system.

i.e.:   ../../../calc.exe - Would put it in the root directory

Because the file is considered an accepted type by browsers, 
there will be no dialog asking the user to accept or deny
receiving it. 

_______________________________________________________________

3) Risk

If a user were to have JavaScript enabled, the attacker could 
even add "onLoad=" to an IMG tag on a web page, which would run
the file upon the image being loaded.  This could have serious
consequences on Gaming Forums.

This bug does not require GameSpy Arcade to run, or ever have
run.  It's possible that it has been installed along with a 
game, and hasn't been touched.  This does not make the user 
safe.  GSAPAK.exe is a separate entity in the GameSpy package,
and is useful for the purpose they've created it.

_______________________________________________________________

4) Fix
  
GameSpy was notified on July 28, 2003.

GameSpy responded very quickly, and they were on their way to
fixing the bug within 12 hours of the initial contact.

Directory of GameSpy Technology, David Wright, has told TZT
that this vulnerability will be fixed in a patch this week.
We'd like to thank GameSpy for their extremely fast response
and professionalism in handling this matter.

Current GameSpy Arcade users should see the patch, and be 
given the option (possibly required) to update.  We suggest
the latter.

If you have concerns about waiting for the patch, it can be 
temporarily fixed by removing the above specified accepted 
documents from the registry. You could also remove GSAPAK.exe,
or you could even choose to uninstall GameSpy Arcade until the
patch becomes available later this week.

_______________________________________________________________


5) Philosophy

GameSpy has hundreds of thousands of users, most of which are 
using GameSpy Arcade and are vulnerable to this bug.
  
This bug has now been disclosed, and all users should patch
their system as soon as the patch is available.
  
Keep in mind, your system will still be vulnerable even if 
you've installed GameSpy Arcade, but never ran it.

_______________________________________________________________ 

6) Closing comments
  
We would like to thank GameSpy and David Wright for their
prompt handling of the bug report, again.   

_______________________________________________________________

7) Contact

 Questions, comments, complaints:
 
  Mike Kristovich, Security Researcher
  ThreeZee Technology, Inc.

  http://www.ThreeZee.com
  zzz@threezee.com


 Press inquiries:

  press@threezee.com