SUMMARY

The following vulnerability was found in Plays.tv 1.27.5.0

The “plays_service.exe” Windows service allows for the unauthenticated writing of user specified files at SYSTEM privilege. An HTTP message with the “extract_files” parameter does not securely authenticate the user before writing uncontrollable data to the provided path. This vulnerability could allow for a denial of service on the host system as important system related files could be overwritten.The vulnerable plays.tv software was previously included in AMD’s driver installation packages and is still distributed with its legacy products as part of its Gaming Evolved program.

IMPACT

Access Vector:    REMOTE
Access Complexity:   LOW
Authentication:    NOT REQUIRED TO EXPLOIT
Impact Type:    FILE CORRUPTION (DENIAL OF SERVICE)
Privilege Level:   SYSTEM

AFFECTED PRODUCTS

SOFTWARE FIXES

  • Please update to Plays.tv 1.27.7.0 to remedy the vulnerability.

TIMELINE

REFERENCES