####################################################################### Luigi Auriemma Applications: RogerWilco (http://www.rogerwilco.com) Versions: graphical server <= 1.4.1.6 dedicated server for win32 <= 0.30a dedicated server for linux/bsd <= 0.27 Platforms: ALL the platforms supported by the graphical server and the dedicated server (Win32, Linux and BSD) Bug: Remote buffer overflow Date: 08 Sep 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== RogerWilco is a real-time voice chat application developed by Gamespy and very used by gamers. ####################################################################### ====== 2) Bug ====== RogerWilco reads the data sent by the client as follow: 1 byte: 0x0f (it is a specific tag) 1 byte: 0x00 (it is a specific tag) 2 bytes: length of the data to read. We will call this size as 'N' N bytes: data As everyone can understand from this little intro the problem is just the possibility for the attacker to directly specify the amount of data the server will read. Then the server will launch the recv() function using the same buffer (that naturally has not been correctly allocated so it is small) and reading N bytes: recv(sock, buffer, N_bytes, 0); The result is the complete overwriting of the memory and, naturally, also of the return address of the main function. The first data that the client sends to the server contains the password to use, the channel to join and 12 bytes that I don't know what they represent. This means that does NOT exist a server that is not vulnerable, also if you set a password and if you choose a channel with a strange name or that is not known by the attacker. In fact the password is the only defense to limit or avoid undesired accesses to the own server. The other problem is that ALL the versions and the types of RogerWilco' servers are vulnerable, so both dedicated and not dedicated servers and all the versions of the program released until now. ####################################################################### =========== 3) The Code =========== A new option has been added to my tool created to test the RogerWilco's vulnerabilities found by me, check it: http://aluigi.org/poc/wilco.zip ####################################################################### ====== 4) Fix ====== No fix. Gamespy has been contacted over a week before the releasing of this advisory as suggested by the security community if the vendor doesn't answer to a bug report. Patching (and moreover preventing) this bug is very simple, so I don't understand why they have not corrected it yet... Then as explained in my advisory http://aluigi.org/adv/wilco-remix-adv.txt I have "continuely" contacted Gamespy for a lot of time and the only thing they have done has been ignoring my reports. #######################################################################