Fuck You Gamespy!

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2003-11-12 03:30pm

Hacker Finds Gamespy Bugs, Gamespy SLAPPs the Guy with DMCA C+D

The guy was trying to HELP GS by pointing out some Sploits he found in their horrifically bloated and buggy code, and that's how they treat him!?

I'm glad I already have the All Seeing Eye! I got turned off by Gaamespy's insane amount of ads (a full minute of not being able to do a damn thing while GS downloaded and played a full-fucking-screen Flash advert, NTM my Quake game was hella faster with ASE in the background than with GS ads sponging up every last CPU cycle they could get). So Fuck you Gamespy, I hope you enjoy having the entire gaming community pissed off at you. I also hope you enjoy watching your competitors reap extra profits due to the Law of Unintended Consequences. See You In Hell.

I think I'll pony up the $30 registration fee. A small price to pay IMO. Lata and Happy Fragging![/url]

darthdavid · Post by **darthdavid** » 2003-11-12 03:43pm

And this is why i just don't fucking bother with gamespy.

Vertigo1 · Post by **Vertigo1** » 2003-11-12 08:03pm

This is why I stick to Kali. One time fee of $10 (was $20 when I regged back in '97) and the servers are GREAT!

ArmorPierce · Post by **ArmorPierce** » 2003-11-12 10:44pm

The way he went about it (publishing how to do it publicly) was dumb though.

phongn · Post by **phongn** » 2003-11-13 09:03am

GameSpy has an official response up.

Faram · Post by **Faram** » 2003-11-14 03:00am

ArmorPierce wrote:The way he went about it (publishing how to do it publicly) was dumb though.

That standard practise. Suscribe to Full-Disclosure to get the hot info and howtos for any system.

Security through obscurity don't work.

Oh and here's the mail that pissed gamespy off:

#######################################################################

Luigi Auriemma

Applications: RogerWilco (http://www.rogerwilco.com)
Versions: graphical server <= 1.4.1.6
dedicated server for win32 <= 0.30a
dedicated server for linux/bsd <= 0.27
Platforms: ALL the platforms supported by the graphical server and
the dedicated server (Win32, Linux and BSD)
Bug: Remote buffer overflow
Risk: Critical
Author: Luigi Auriemma
e-mail: aluigi@pivx.com
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

RogerWilco is a real-time voice chat application developed by Gamespy and very used by gamers.

#######################################################################

======
2) Bug
======

RogerWilco reads the data sent by the client as follow:

1 byte: 0x0f (it is a specific tag)
1 byte: 0x00 (it is a specific tag)
2 bytes: length of the data to read. We will call this size as 'N' N bytes: data

As everyone can understand from this little intro the problem is just the possibility for the attacker to directly specify the amount of data the server will read. Then the server will launch the recv() function using the same buffer (that naturally has not been correctly allocated so it is small) and reading N bytes:

recv(sock, buffer, N_bytes, 0);

The result is the complete overwriting of the memory and, naturally, also of the return address of the function.

The first data that the client sends to the server contains the password to use, the channel to join and 12 bytes that I don't know what they represent. This means that does NOT exist a server that is not vulnerable, also if you set a password and if you choose a channel with a strange name or that is not known by the attacker. In fact the password is the only defense to limit or avoid undesired accesses to the own server.

The other problem is that ALL the versions and the types of RogerWilco' servers are vulnerable, so both dedicated and not dedicated servers and all the versions of the program released until now.

#######################################################################

===========
3) The Code
===========

A new option has been added to my tool created to test the RogerWilco's vulnerabilities found by me, check it:

http://aluigi.altervista.org/poc/ wilco.zip

#######################################################################

======
4) Fix
======

No fix.

Gamespy has been contacted over a week before the releasing of this advisory as suggested by the security community if the vendor doesn't answer to a bug signalation.

Patching (and moreover preventing) this bug is very simple, so I don't understand why they have not corrected it yet...

Then as explained in my advisory http://aluigi.altervista.org/adv/wilco-remix-adv.txt
I have "continuely" contacted Gamespy for a lot of time and the only thing they have done has been ignoring my signalations.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure welcomes any new suscriber but be varned it's a very highdensety mailting list 50+ mails /day is not unusual