exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

wilco-recvbof-adv.txt

wilco-recvbof-adv.txt
Posted Sep 11, 2003
Authored by Luigi Auriemma | Site aluigi.altervista.org

A vulnerability lies in the Roger Wilco client where it trusts the data length specified in a packet without validation and can allow the program to allocate an insufficiently sized buffer. Versions affected: Graphical server 1.4.1.6 and below, Dedicated server for Win32 0.30a and below and Linux/BSD 0.27 and below.

tags | advisory, overflow
systems | linux, windows, bsd
SHA-256 | deff21d4849d1e9951b10fb183f5b0b9f242bf1b7a7c77fa8c3f4dae20339197

wilco-recvbof-adv.txt

Change Mirror Download
#######################################################################

Luigi Auriemma

Applications: RogerWilco (http://www.rogerwilco.com)
Versions: graphical server <= 1.4.1.6
dedicated server for win32 <= 0.30a
dedicated server for linux/bsd <= 0.27
Platforms: ALL the platforms supported by the graphical server and
the dedicated server (Win32, Linux and BSD)
Bug: Remote buffer overflow
Risk: Critical
Author: Luigi Auriemma
e-mail: aluigi@pivx.com
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix



#######################################################################

===============
1) Introduction
===============


RogerWilco is a real-time voice chat application developed by Gamespy
and very used by gamers.



#######################################################################

======
2) Bug
======


RogerWilco reads the data sent by the client as follow:

1 byte: 0x0f (it is a specific tag)
1 byte: 0x00 (it is a specific tag)
2 bytes: length of the data to read. We will call this size as 'N'
N bytes: data


As everyone can understand from this little intro the problem is just
the possibility for the attacker to directly specify the amount of
data the server will read.
Then the server will launch the recv() function using the same buffer
(that naturally has not been correctly allocated so it is small) and
reading N bytes:

recv(sock, buffer, N_bytes, 0);

The result is the complete overwriting of the memory and, naturally,
also of the return address of the main function.

The first data that the client sends to the server contains the
password to use, the channel to join and 12 bytes that I don't know
what they represent.
This means that does NOT exist a server that is not vulnerable, also if
you set a password and if you choose a channel with a strange name or
that is not known by the attacker.
In fact the password is the only defense to limit or avoid undesired
accesses to the own server.

The other problem is that ALL the versions and the types of RogerWilco'
servers are vulnerable, so both dedicated and not dedicated servers and
all the versions of the program released until now.



#######################################################################

===========
3) The Code
===========


A new option has been added to my tool created to test the RogerWilco's
vulnerabilities found by me, check it:


http://aluigi.altervista.org/poc/wilco.zip



#######################################################################

======
4) Fix
======


No fix.

Gamespy has been contacted over a week before the releasing of this
advisory as suggested by the security community if the vendor doesn't
answer to a bug signalation.

Patching (and moreover preventing) this bug is very simple, so I don't
understand why they have not corrected it yet...

Then as explained in my advisory
http://aluigi.altervista.org/adv/wilco-remix-adv.txt
I have "continuely" contacted Gamespy for a lot of time and the only
thing they have done has been ignoring my signalations.



#######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close