lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030908192117.5a1408bc.aluigi@pivx.com>
Date: Mon, 8 Sep 2003 19:21:17 +0000
From: Luigi Auriemma <aluigi@...x.com>
To: bugtraq@...urityfocus.com
Cc: vulnwatch@...nwatch.org, full-disclosure@...ts.netsys.com,
	list@...ield.org, support@...telli.com, 24@...telli.com,
	list@...uriteam.com
Subject: Rogerwilco: server's buffer overflow


#######################################################################

                             Luigi Auriemma

Applications: RogerWilco (http://www.rogerwilco.com)
Versions:     graphical server <= 1.4.1.6
              dedicated server for win32 <= 0.30a
              dedicated server for linux/bsd <= 0.27
Platforms:    ALL the platforms supported by the graphical server and
              the dedicated server (Win32, Linux and BSD)
Bug:          Remote buffer overflow
Risk:         Critical
Author:       Luigi Auriemma
              e-mail: aluigi@...x.com
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix



#######################################################################

===============
1) Introduction
===============


RogerWilco is a real-time voice chat application developed by Gamespy
and very used by gamers.



#######################################################################

======
2) Bug
======


RogerWilco reads the data sent by the client as follow:

1 byte:  0x0f (it is a specific tag)
1 byte:  0x00 (it is a specific tag)
2 bytes: length of the data to read. We will call this size as 'N'
N bytes: data


As everyone can understand from this little intro the problem is just
the possibility for the attacker to directly specify the amount of
data the server will read.
Then the server will launch the recv() function using the same buffer
(that naturally has not been correctly allocated so it is small) and
reading N bytes:

    recv(sock, buffer, N_bytes, 0);

The result is the complete overwriting of the memory and, naturally,
also of the return address of the function.

The first data that the client sends to the server contains the
password to use, the channel to join and 12 bytes that I don't know
what they represent.
This means that does NOT exist a server that is not vulnerable, also if
you set a password and if you choose a channel with a strange name or
that is not known by the attacker.
In fact the password is the only defense to limit or avoid undesired
accesses to the own server.

The other problem is that ALL the versions and the types of RogerWilco'
servers are vulnerable, so both dedicated and not dedicated servers and
all the versions of the program released until now.



#######################################################################

===========
3) The Code
===========


A new option has been added to my tool created to test the RogerWilco's
vulnerabilities found by me, check it:


http://aluigi.altervista.org/poc/wilco.zip



#######################################################################

======
4) Fix
======


No fix.

Gamespy has been contacted over a week before the releasing of this
advisory as suggested by the security community if the vendor doesn't
answer to a bug signalation.

Patching (and moreover preventing) this bug is very simple, so I don't
understand why they have not corrected it yet...

Then as explained in my advisory
http://aluigi.altervista.org/adv/wilco-remix-adv.txt
I have "continuely" contacted Gamespy for a lot of time and the only
thing they have done has been ignoring my signalations.



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ