Rogerwilco 1.4.1.2 and 1.4.1.6 remix of bugs

From: Luigi Auriemma (aluigi_at_pivx.com)
Date: 09/08/03

  • Next message: James Patterson Wicks: "[Full-Disclosure] Backdoor.Sdbot.N Question"
    Date: Mon, 8 Sep 2003 19:21:06 +0000
    To: bugtraq@securityfocus.com
    
    

    #######################################################################

                                Luigi Auriemma

    Applications: RogerWilco (http://www.rogerwilco.com)
    Versions: 1.4.1.2 (server and client buffer-overflow)
                  1.4.1.6 (server freeze bug; server and client crash)
    Platforms: Windows
    Bugs: crash, buffer-oveflow and temporary freeze
    Risk: 1.4.1.2: High
                  1.4.1.6: Medium
    Author: Luigi Auriemma
                  e-mail: aluigi@pivx.com
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Story
    3) Bugs
    4) The Code
    5) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    RogerWilco is a real-time voice chat application developed by Gamespy.
    Over 2 months ago I released an advisory about the bugs of the previous
    2001 version and now after this time I'm releasing another advisory
    about similar vulnerabilities...

    #######################################################################

    ========
    2) Story
    ========

    The recent RogerWilco's vulnerabilities story is composed by about 3
    releases:

    MkId3: released in 2001, it has been the latest until the 2003 summer
    1.4.1.2: version released to fix the bugs I found in the previous 2001
             version (unfortunally it didn't really patch one of them)
    1.4.1.6: the "remixed" 2001 version (?)

    Before the release of the 1.4.1.2 version, the Gamespy's developers
    sent me a beta.
    This version FULLY patched the bugs I found in the 2001 version.

    After some days the 1.4.1.2 was pubblically released. I decided to give
    a look to this version only to be sure that it really fixed the bugs...
    and I had a surprise.
    A longer nickname (about the double used to exploit the previous 2001
    version) causes a buffer-overflow in the server and a broadcast buffer
    overflow versus all the 1.4.1.2 clients if you launch the attack versus
    a dedicated server.
    In fact the dedicated server has never been vulnerable (the problems
    are only in the graphical client/server) so it simply forwards the
    malformed packet to the attached clients.

    Well, naturally I quickly contacted Gamespy reporting the new problem.

    Nobody recontacted me but the 8th July 2003 a new version (1.4.1.6)
    was released.
    I didn't test it quickly because I temporary abandoned this bug
    research but after about 2 weeks I decided to test this new version.

    The 1.4.1.6 version is very similar to the old 2001 version with some
    little differences.
    One of these differences in fact is that finally the broadcast buffer
    overflow exists no more but at its place now there is a crash caused by
    a nickname of at least 33 bytes.
    I think that it is the old "remixed" 2001 version because there is a
    knockdown evidence: the freeze bug existent in the 2001 version that
    was patched in the 1.4.1.2 release...

    Well, I recontacted them again asking for explanations and also to
    re-report the problems and after some days finally the developers said
    they were working to patch these bugs (again???).

    Wait, wait and wait again but after over a month nobody has recontacted
    me and no new versions have been released.

    #######################################################################

    =======
    3) Bugs
    =======

    Important note:
    ---------------
    The dedicated server (RWBS) is NOT vulnerable to these bugs.
    However if will be used a dedicated server, it will forward the packets
    received by the attacker to all the clients attached to it. So everyone
    talking on that server will receive the malformed packet and will be
    vulnerable to the attack.
    The only limits for an attacker are the password (if it has been set by
    the server and he don't know it) and the channel because it is needed
    as target of the attack.

    1.4.1.2:
    --------
    The 1.4.1.2 version is vulnerable to a buffer-overflow that happens
    when a nickname of 1022 bytes long (the 2001 version needed 516 bytes)
    is sent to the server but fortunally the server crashes before
    forwarding the nickname to the other clients (instead in the 2001
    version, the forwarding happened before the crash causing more damage).

    1.4.1.6:
    --------
    The crash in the 1.4.1.6 version happens in NETWORK.DLL if you send a
    nickname of at least 33 bytes.
    Doesn't seem possible to execute remote code but only to crash the
    server or the 1.4.1.6 clients connected to a dedicated server.
    The other problem is the old server's freeze bug already seen in the
    2001 version (http://aluigi.altervista.org/adv/wilco-adv.txt).

    #######################################################################

    ===========
    4) The Code
    ===========

    There are 2 new options in my tool for the testing of the Rogerwilco's
    vulnerabilities.
    Read the instructions when you launch it to check the new bugs:

    http://aluigi.altervista.org/poc/wilco.zip

    #######################################################################

    ======
    5) Fix
    ======

    Gamespy has been contacted a lot of time, but they don't want or are
    not able to patch the program.

    I suggest who use this program to set -=EVER=- a server's password and
    to give it only to trusted people, because an attacker needs to have
    access to the server to exploit the vulnerabilities.

    However check the RogerWilco website for possible updates.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: James Patterson Wicks: "[Full-Disclosure] Backdoor.Sdbot.N Question"