####################################################################### Luigi Auriemma Applications: RogerWilco (http://www.rogerwilco.com) Versions: 1.4.1.2 (server and client buffer-overflow) 1.4.1.6 (server freeze bug; server and client crash) Platforms: Windows Bugs: crash, buffer-oveflow and temporary freeze Date: 08 Sep 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Story 3) Bugs 4) The Code 5) Fix ####################################################################### =============== 1) Introduction =============== RogerWilco is a real-time voice chat application developed by Gamespy. Over 2 months ago I released an advisory about the bugs of the previous 2001 version and now after this time I'm releasing another advisory about similar vulnerabilities... ####################################################################### ======== 2) Story ======== The recent RogerWilco's vulnerabilities story is composed by about 3 releases: MkId3: released in 2001, it has been the latest until the 2003 summer 1.4.1.2: version released to fix the bugs I found in the previous 2001 version (unfortunally it didn't really patch one of them) 1.4.1.6: the "remixed" 2001 version (?) Before the release of the 1.4.1.2 version, the Gamespy's developers sent me a beta. This version FULLY patched the bugs I found in the 2001 version. After some days the 1.4.1.2 was publicly released. I decided to give a look to this version only to be sure that it really fixed the bugs... and I had a surprise. A longer nickname (about the double used to exploit the previous 2001 version) causes a buffer-overflow in the server and a broadcast buffer overflow versus all the 1.4.1.2 clients if you launch the attack versus a dedicated server. In fact the dedicated server has never been vulnerable (the problems are only in the graphical client/server) so it simply forwards the malformed packet to the attached clients. Well, naturally I quickly contacted Gamespy reporting the new problem. Nobody recontacted me but the 8th July 2003 a new version (1.4.1.6) was released. I didn't test it quickly because I temporary abandoned this bug research but after about 2 weeks I decided to test this new version. The 1.4.1.6 version is very similar to the old 2001 version with some little differences. One of these differences in fact is that finally the broadcast buffer overflow exists no longer but at its place now there is a crash caused by a nickname of at least 33 bytes. I think that it is the old "remixed" 2001 version because there is a knockdown evidence: the freeze bug existent in the 2001 version that was patched in the 1.4.1.2 release... Well, I recontacted them again asking for explanations and also to re-report the problems and after some days finally the developers said they were working to patch these bugs (again???). Wait, wait and wait again but after over a month nobody has recontacted me and no new versions have been released. ####################################################################### ======= 3) Bugs ======= Important note: --------------- The dedicated server (RWBS) is NOT vulnerable to these bugs. However if will be used a dedicated server, it will forward the packets received by the attacker to all the clients attached to it. So everyone talking on that server will receive the malformed packet and will be vulnerable to the attack. The only limits for an attacker are the password (if it has been set by the server and he don't know it) and the channel because it is needed as target of the attack. 1.4.1.2: -------- The 1.4.1.2 version is vulnerable to a buffer-overflow that happens when a nickname of 1022 bytes long (the 2001 version needed 516 bytes) is sent to the server but fortunally the server crashes before forwarding the nickname to the other clients (instead in the 2001 version, the forwarding happened before the crash causing more damage). 1.4.1.6: -------- The crash in the 1.4.1.6 version happens in NETWORK.DLL if you send a nickname of at least 33 bytes. Doesn't seem possible to execute remote code but only to crash the server or the 1.4.1.6 clients connected to a dedicated server. The other problem is the old server's freeze bug already seen in the 2001 version (http://aluigi.org/adv/wilco-adv.txt). ####################################################################### =========== 4) The Code =========== There are 2 new options in my tool for the testing of the Rogerwilco's vulnerabilities. Read the instructions when you launch it to check the new bugs: http://aluigi.org/poc/wilco.zip ####################################################################### ====== 5) Fix ====== Gamespy has been contacted a lot of time, but they don't want or are not able to patch the program. I suggest who use this program to set -=EVER=- a server's password and to give it only to trusted people, because an attacker needs to have access to the server to exploit the vulnerabilities. However check the RogerWilco website for possible updates. #######################################################################