lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041217163445.29827.qmail@www.securityfocus.com>
Date: 17 Dec 2004 16:34:45 -0000
From: amoXi Devilkin <am0xi@...oo.com>
To: bugtraq@...urityfocus.com
Subject: 4 Vulnerabilities in GamePort





   Exploit Tested On :
     GamePort 4.0
     GamePort 3.1
     GamePort 3.0

   Platform :
     Windows 9X/Me/2K/XP   

   Background of Program :
     Gameport is a product of interactivestudio(www.interactivestudio.sk). it is very Common Program in Iran(My Country) that is used for Gamenets and Coffenets. It has to Parts Client and Server. Each Costomer of Coffenet or Gamenet has an ID and a Password and by his ID and password he can access one of PCs in the Gamenet or Coffeenet. The user credits will be count down from time he will log in to system GamePort untill he will log out. In the case the users credits has expired the computer will be restarted and he can logon again after he buy a new credits.(more Informations in www.interactivestudio.sk)
   
   Type of Vulnerability:
     Remote/Local   Critical
   
   Descripttion :
     we've found 4 Vulnerability
     
     Vul I :
     When Client is not Logged in, in ID textbox Put your username and in Password textbox Put your password and "^^#LOGOFF#" for example :

     ID : 101
     Password : 123^^#LOGOFF#
     
     then you will login and you can use the Client PC and the Server wont count down your credits.
     
     Vul II :
     the admin Password of server is reversable, it means that You can easily decode the password recorded in registry. we've programmed a decoder for admin password of server. you may download the source(in VB) here :

     http://www.sharemation.com/devilkins/GPSPDecode.zip
     

     ***Other Vulnerabilities is Only for Version 4.0***
     
     Vul III :
     In Case you have access to Server's PC(the PC have GamePortserver installed) but you don't have the admin password you can change the clients password Or you can call an application on the Clients(Pcs that have Gameport Client installed) remotly without admin password. just push right click on mouse over icon of client pc in the main window of Gameport server, that we want to Call an application on or change it's admin password. After this the menu appear, where we choose item "Send message to user...". Now the window will appear where we can write a message and send it by pushing button "Send". in the Textbox type "^^#CALL#:application_name.exe" and push send that application will run on the client. also you can change admin password by typing "^^#CHANGEPSSWD#:New password" instead of message. for example :
    
     "^^#CALL#:CMD.exe"
     "^^#CHANGEPSSWD#:123"
     
     Vul IV :
     I don't Know why this Occurs.
     In "Remore applictaion call" part of server If you type "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\.exe" or "//////////////////////////////////////////////.exe" and Press OK. the Client you've send the packet to it Will hang up for a Long time.

   Analisis :

     Vul I :
     When you type your ID and password and "^^#LOGOFF#" at the end and press the login key. a packet with this data will be sent to server :

     "^#LOGME#:ID:Password^^#LOGOFF#:computername^"

     it means that log me in and then log me off but when Client Logs off doesn't perevnt your access.

     Vul III:
     after sending that message to client, that client will recive this data :
     
     "^#ECHO#:^^#CALL#:CMD.exe^"

     it means show "nothing" as message and Call CMD.exe application.
     
     *****All Words Between ## are Capital*****

   Solution :
     We've Made a Patch for 3.0 & 4.0 Versions ourself, may be Interactivestudio Gonna make a Patch for it in future but til they haven't released it we try to sell our patch.
   
   Credits:
     amoXi & Dr.vaXin
     am0xi@...oo.com
     GrayDevilkins Team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ