Rogerwilco: server's buffer overflow

From: Luigi Auriemma (aluigi_at_pivx.com)
Date: 09/08/03

  • Next message: Paul Szabo: "Re: Re[2]: 11 years of inetd default insecurity?"
    Date: Mon, 8 Sep 2003 19:21:17 +0000
    To: bugtraq@securityfocus.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Applications: RogerWilco (http://www.rogerwilco.com)
    Versions: graphical server <= 1.4.1.6
                  dedicated server for win32 <= 0.30a
                  dedicated server for linux/bsd <= 0.27
    Platforms: ALL the platforms supported by the graphical server and
                  the dedicated server (Win32, Linux and BSD)
    Bug: Remote buffer overflow
    Risk: Critical
    Author: Luigi Auriemma
                  e-mail: aluigi@pivx.com
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    RogerWilco is a real-time voice chat application developed by Gamespy
    and very used by gamers.

    #######################################################################

    ======
    2) Bug
    ======

    RogerWilco reads the data sent by the client as follow:

    1 byte: 0x0f (it is a specific tag)
    1 byte: 0x00 (it is a specific tag)
    2 bytes: length of the data to read. We will call this size as 'N'
    N bytes: data

    As everyone can understand from this little intro the problem is just
    the possibility for the attacker to directly specify the amount of
    data the server will read.
    Then the server will launch the recv() function using the same buffer
    (that naturally has not been correctly allocated so it is small) and
    reading N bytes:

        recv(sock, buffer, N_bytes, 0);

    The result is the complete overwriting of the memory and, naturally,
    also of the return address of the function.

    The first data that the client sends to the server contains the
    password to use, the channel to join and 12 bytes that I don't know
    what they represent.
    This means that does NOT exist a server that is not vulnerable, also if
    you set a password and if you choose a channel with a strange name or
    that is not known by the attacker.
    In fact the password is the only defense to limit or avoid undesired
    accesses to the own server.

    The other problem is that ALL the versions and the types of RogerWilco'
    servers are vulnerable, so both dedicated and not dedicated servers and
    all the versions of the program released until now.

    #######################################################################

    ===========
    3) The Code
    ===========

    A new option has been added to my tool created to test the RogerWilco's
    vulnerabilities found by me, check it:

    http://aluigi.altervista.org/poc/wilco.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.

    Gamespy has been contacted over a week before the releasing of this
    advisory as suggested by the security community if the vendor doesn't
    answer to a bug signalation.

    Patching (and moreover preventing) this bug is very simple, so I don't
    understand why they have not corrected it yet...

    Then as explained in my advisory
    http://aluigi.altervista.org/adv/wilco-remix-adv.txt
    I have "continuely" contacted Gamespy for a lot of time and the only
    thing they have done has been ignoring my signalations.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: Paul Szabo: "Re: Re[2]: 11 years of inetd default insecurity?"

    Relevant Pages

    • [Full-Disclosure] Rogerwilco: servers buffer overflow
      ... Versions: graphical server <= 1.4.1.6 ... ALL the platforms supported by the graphical server and ... Bug ... RogerWilco is a real-time voice chat application developed by Gamespy ...
      (Full-Disclosure)
    • Rogerwilco: servers buffer overflow
      ... Versions: graphical server <= 1.4.1.6 ... ALL the platforms supported by the graphical server and ... Bug ... RogerWilco is a real-time voice chat application developed by Gamespy ...
      (Full-Disclosure)
    • Re: Problem with Xserver and Gnome applications
      ... The program 'gedit' received an X Window System error. ... This probably reflects a bug in the program. ... request belongs to an X11 extension. ... server does not support that extension and gedit doesn't check for it ...
      (comp.sys.sgi.admin)
    • Re: bug in java.net.Socket??
      ... I've been trying to get a passive ftp server working, but unfortunately, ... there seems to be a VERY low level bug in the Socket command that makes ... server is already serving a connection new connection attempts are ... Now I don't know for sure, but I STRONGLY suspect that it is a java bug. ...
      (comp.lang.java.programmer)
    • Re: [Full-disclosure] Which is more secure? Oracle vs. Microsoft
      ... AK>> The following bugs are Oracle application server bugs (Oracle Portal ... DL> app these are PL/SQL packages in the database server. ... is an Oracle database bug? ...
      (Full-Disclosure)