lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0808242120240.3658@host.security-objectives.com>
Date: Sun, 24 Aug 2008 21:22:23 -0700 (PDT)
From: Security Objectives Corporation <advisories@...urity-objectives.com>
To: bugtraq@...urityfocus.com
Subject: SECOBJADV-2008-03.2: PartyGaming PartyPoker Malicious Update
 Vulnerability

======================================================================
=         Security Objectives Advisory (SECOBJADV-2008-03.2)         =
======================================================================

PartyGaming PartyPoker Malicious Update Vulnerability

http://www.security-objectives.com/advisories/SECOBJADV-2008-03.txt

AFFECTED: Client software versions are irrelevant because of server changes.
           See ANALYSIS section below for details.

PLATFORM: Intel / Windows

CLASSIFICATION: Origin Validation Error (CWE-346)

RESEARCHER: Derek Callaway

IMPACT: Client-side code execution

SEVERITY: Medium

DIFFICULTY: Moderate

REFERENCES: CVE-2008-3324


BACKGROUND

PartyPoker.com (www.PartyPoker.com) is the world's largest online poker brand
in terms of number of players and revenues. You'll find a great variety of 
poker games and tournaments, plus blackjack.

SUMMARY

The PartyGaming PartyPoker client program can be forced into downloading a
malicious update. This is a result of the PartyPoker client not properly 
confirming the authenticity of the network update server or the 
executable update files themselves. When downloading an update, first 
the client program resolves the DNS address of the update host. Next, it 
establishes a TCP connection on port 80 of the previously resolved IP 
address. Then, it sends an HTTP request for an EXE file under the web 
server's Downloads directory. Upon receiving the HTTP response, the 
requested portable executable is written to disk and executed.

ANALYSIS

To successfully exploit this vulnerability an attacker must be able to 
somehow position themself such that they can impersonate the update server.
This can be accomplished through DNS cache poisoning, ARP redirection,
TCP hijacking, impersonation of a Wi-Fi Access Point, etc. The attacker 
also would have configured a rogue web server to push out update code of 
their choosing.

Before PartyPoker downloads the update it communicates with another 
PartyGaming server in the 88.81.154.0/24 subnetwork via SSL to determine 
if a new client update is available; if so, a HTTP GET request is sent 
to www1.partypoker.com for an EXE file in the /Downloads/en/vcc 
directory and is stored on the local filesystem under 
C:\Programs\PartyGaming\tmpUpgrade and executed. Afterwards, the user 
may login and operate the PartyPoker client as usual.

Since the update itself is downloaded from a seperate server, the client 
can contact the legitimate PartyGaming server during exploitation to 
determine if an update is available as normal. The attacker only needs 
to masquerade as www1.partypoker.com.

The server-side modification that has been implemented by PartyGaming causes
the first SSL connection to communicate an HTTPS URL for www1.partypoker.com
so that the update itself is downloaded over SSL as well.

WORKAROUND

None

VENDOR RESPONSE

The vendor was contacted initially and fully aware of the vulnerability. 
However, after unsuccessfully attempting to reestablish dialogue multiple times
with limited responsiveness over a period of several months, Security 
Objectives proceeded with the advisory.

After the initial advisory was released, PartyGaming contacted Security 
Objectives and added support for HTTPS/SSL to the second update server.

DISCLOSURE TIMELINE

20-Feb-2008 Discovery of Vulnerability
22-Feb-2008 Developed Proof-of-Concept
25-Feb-2008 Reported to Vendor
14-Aug-2008 Published Advisory
14-Aug-2008 Vendor Modified Server to Utilize HTTPS/SSL
18-Aug-2008 Coordinated Second Version of Advisory with Vendor
25-Aug-2008 Released New Advisory

ABOUT SECURITY OBJECTIVES

Security Objectives is a security centric consultancy and software development
corporation which operates in the area of application assurance software. 
Security Objectives employs methods that are centered on software 
comprehension, therefore a more in-depth contextual understanding of the 
application is developed.

http://security-objectives.com/

LEGAL

Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.

The information contained in this advisory is believed to be accurate based on 
currently available information and is provided "as is" without warranty of 
any kind, either expressed or implied, including, but not limited to, the 
implied warranties of merchantability and fitness for a particular purpose. 
The entire risk as to the quality and performance of the information is with 
you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ