Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7309
HistoryDec 10, 2004 - 12:00 a.m.

In-game buffer-overflow in the Gamespy cd-key validation SDK

2004-12-1000:00:00
vulners.com
12
JSON

#######################################################################

                         Luigi Auriemma

Application: Gamespy cd-key validation SDK
http://www.gamespy.net
Versions: before 20 November 2004
Games: due to the implementation of this SDK is hard to test and
list all the vulnerable games, however the following is
the official list of games that use the various Gamespy
SDKs (so not only the cd-key SDK):
http://www.gamespy.net/partners/
While the following is a partial list, maintained by me,
of the games that use the cd-key validation SDK:
http://aluigi.altervista.org/papers/gshlist.txt
Platforms: any platform supported
Bug: buffer-overflow
Exploitation: remote, versus server (in-game)
Date: 10 December 2004
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

The Gamespy cd-key validation SDK is a toolkit developed by Gamespy
(http://www.gamespy.net) and used by many games to handle the
verification of the cd-keys online.

#######################################################################

======
2) Bug

Before explaining the bug is important to specify that this is an
in-game bug so the attacker needs to have access to the vulnerable
server and, in this specific case, also to know the game's protocol or
to use a debugger to exploit the vulnerability, and furthermore it
depends by how the developers have implemented the Gamespy SDK in their
games.

In fact the problem is a buffer-overflow caused by a too long response
string sent by the client to the server, so a game is not vulnerable
"only" if its developers have inserted a limitation in the length of
the string received from the client (but I doubt that someone did it).

When the server receives the client's string it calls the sprintf()
function to build the query for the cd-key validation:

query_length = sprintf(
    query,
    "\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d",
    pid,    // product ID of the game
    ch,     // server challenge
    resp,   // client response <-- the cause of the bug!
    ip,     // client IP address
    skey);  // number to track the query

An explanation of the authentication method used by the Gamespy cd-key
validation SDK is available here:
http://aluigi.altervista.org/papers/gskey-auth.txt

The buffer-overflow happens just during this instruction and then the
query is encoded using the classical XOR operation with the word
"gamespy" to be sent to the Gamespy master server.

#######################################################################

===========
3) The Code

I have written a proof-of-concept only for the game Gore because its
protocol is enough simple:

http://aluigi.altervista.org/poc/goregsbof.zip

For other games an idea is the usage of a debugger on the client for
the interception of the client string just generated that must be
substituited with a bigger one and then is needed to force the game to
use the entire big string since usually are used only the normal 73
bytes.

#######################################################################

======
4) Fix

The bug has been fixed the 19 November 2004, so the developers of the
vulnerable games have had a lot of time for checking their games and
patching them if needed.

#######################################################################

Luigi Auriemma
http://aluigi.altervista.org

JSON