| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Dec 2004 17:46:11 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.netsys.com,
vuln@...unia.com
Subject: In-game buffer-overflow in the Gamespy cd-key validation SDK
#######################################################################
Luigi Auriemma
Application: Gamespy cd-key validation SDK
http://www.gamespy.net
Versions: before 20 November 2004
Games: due to the implementation of this SDK is hard to test and
list all the vulnerable games, however the following is
the official list of games that use the various Gamespy
SDKs (so not only the cd-key SDK):
http://www.gamespy.net/partners/
While the following is a partial list, maintained by me,
of the games that use the cd-key validation SDK:
http://aluigi.altervista.org/papers/gshlist.txt
Platforms: any platform supported
Bug: buffer-overflow
Exploitation: remote, versus server (in-game)
Date: 10 December 2004
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Gamespy cd-key validation SDK is a toolkit developed by Gamespy
(http://www.gamespy.net) and used by many games to handle the
verification of the cd-keys online.
#######################################################################
======
2) Bug
======
Before explaining the bug is important to specify that this is an
in-game bug so the attacker needs to have access to the vulnerable
server and, in this specific case, also to know the game's protocol or
to use a debugger to exploit the vulnerability, and furthermore it
depends by how the developers have implemented the Gamespy SDK in their
games.
In fact the problem is a buffer-overflow caused by a too long response
string sent by the client to the server, so a game is not vulnerable
"only" if its developers have inserted a limitation in the length of
the string received from the client (but I doubt that someone did it).
When the server receives the client's string it calls the sprintf()
function to build the query for the cd-key validation:
query_length = sprintf(
query,
"\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d",
pid, // product ID of the game
ch, // server challenge
resp, // client response <-- the cause of the bug!
ip, // client IP address
skey); // number to track the query
An explanation of the authentication method used by the Gamespy cd-key
validation SDK is available here:
http://aluigi.altervista.org/papers/gskey-auth.txt
The buffer-overflow happens just during this instruction and then the
query is encoded using the classical XOR operation with the word
"gamespy" to be sent to the Gamespy master server.
#######################################################################
===========
3) The Code
===========
I have written a proof-of-concept only for the game Gore because its
protocol is enough simple:
http://aluigi.altervista.org/poc/goregsbof.zip
For other games an idea is the usage of a debugger on the client for
the interception of the client string just generated that must be
substituited with a bigger one and then is needed to force the game to
use the entire big string since usually are used only the normal 73
bytes.
#######################################################################
======
4) Fix
======
The bug has been fixed the 19 November 2004, so the developers of the
vulnerable games have had a lot of time for checking their games and
patching them if needed.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists