SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   GameSpy SDK Vendors:   GameSpy Industries
GameSpy SDK Buffer Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012483
SecurityTracker URL:  http://securitytracker.com/id/1012483
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Luigi Auriemma reported a buffer overflow vulnerability in the GameSpy SDK in the CD key validation. Games using the SDK may be affected.

It is reported that a remote user can send a specially crafted response to the target server. If the target server does not properly validate (limit) user-supplied input, then the remote user may be able to cause the target service to crash or potentially execute arbitary code. Depending on the game, the remote user may need to be authenticated to exploit this flaw.

A demonstration exploit for the Gore game (which uses the GameSpy SDK) is available at:

http://aluigi.altervista.org/poc/goregsbof.zip

Impact:   A remote user may be able to cause the target service to crash or potentially execute arbitary code. The specific impact depends on the application that implements the affected SDK function.
Solution:   The vendor issued a fix on November 19, 2004.
Vendor URL:  www.gamespy.net/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  In-game buffer-overflow in the Gamespy cd-key validation SDK



#######################################################################

                             Luigi Auriemma

Application:  Gamespy cd-key validation SDK
              http://www.gamespy.net
Versions:     before 20 November 2004
Games:        due to the implementation of this SDK is hard to test and
              list all the vulnerable games, however the following is
              the official list of games that use the various Gamespy
              SDKs (so not only the cd-key SDK):
                http://www.gamespy.net/partners/
              While the following is a partial list, maintained by me,
              of the games that use the cd-key validation SDK:
                http://aluigi.altervista.org/papers/gshlist.txt
Platforms:    any platform supported
Bug:          buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         10 December 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Gamespy cd-key validation SDK is a toolkit developed by Gamespy
(http://www.gamespy.net) and used by many games to handle the
verification of the cd-keys online.


#######################################################################

======
2) Bug
======


Before explaining the bug is important to specify that this is an
in-game bug so the attacker needs to have access to the vulnerable
server and, in this specific case, also to know the game's protocol or
to use a debugger to exploit the vulnerability, and furthermore it
depends by how the developers have implemented the Gamespy SDK in their
games.

In fact the problem is a buffer-overflow caused by a too long response
string sent by the client to the server, so a game is not vulnerable
"only" if its developers have inserted a limitation in the length of
the string received from the client (but I doubt that someone did it).

When the server receives the client's string it calls the sprintf()
function to build the query for the cd-key validation:

    query_length = sprintf(
        query,
        "\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d",
        pid,    // product ID of the game
        ch,     // server challenge
        resp,   // client response <-- the cause of the bug!
        ip,     // client IP address
        skey);  // number to track the query

An explanation of the authentication method used by the Gamespy cd-key
validation SDK is available here:
  http://aluigi.altervista.org/papers/gskey-auth.txt

The buffer-overflow happens just during this instruction and then the
query is encoded using the classical XOR operation with the word
"gamespy" to be sent to the Gamespy master server.


#######################################################################

===========
3) The Code
===========


I have written a proof-of-concept only for the game Gore because its
protocol is enough simple:

  http://aluigi.altervista.org/poc/goregsbof.zip

For other games an idea is the usage of a debugger on the client for
the interception of the client string just generated that must be
substituited with a bigger one and then is needed to force the game to
use the entire big string since usually are used only the normal 73
bytes.


#######################################################################

======
4) Fix
======


The bug has been fixed the 19 November 2004, so the developers of the
vulnerable games have had a lot of time for checking their games and
patching them if needed.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC