#######################################################################

                             Luigi Auriemma

Applications: RogerWilco (http://www.rogerwilco.com)
Versions:     graphical server <= 1.4.1.6
              dedicated server for win32 <= 0.30a
              dedicated server for linux/bsd <= 0.27
Platforms:    ALL the platforms supported by the graphical server and
              the dedicated server (Win32, Linux and BSD)
Bug:          Remote buffer overflow
Risk:         Critical
Author:       Luigi Auriemma
              e-mail: aluigi@pivx.com
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix



#######################################################################

===============
1) Introduction
===============


RogerWilco is a real-time voice chat application developed by Gamespy
and very used by gamers.



#######################################################################

======
2) Bug
======


RogerWilco reads the data sent by the client as follow:

1 byte:  0x0f (it is a specific tag)
1 byte:  0x00 (it is a specific tag)
2 bytes: length of the data to read. We will call this size as 'N'
N bytes: data


As everyone can understand from this little intro the problem is just
the possibility for the attacker to directly specify the amount of
data the server will read.
Then the server will launch the recv() function using the same buffer
(that naturally has not been correctly allocated so it is small) and
reading N bytes:

    recv(sock, buffer, N_bytes, 0);

The result is the complete overwriting of the memory and, naturally,
also of the return address of the main function.

The first data that the client sends to the server contains the
password to use, the channel to join and 12 bytes that I don't know
what they represent.
This means that does NOT exist a server that is not vulnerable, also if
you set a password and if you choose a channel with a strange name or
that is not known by the attacker.
In fact the password is the only defense to limit or avoid undesired
accesses to the own server.

The other problem is that ALL the versions and the types of RogerWilco'
servers are vulnerable, so both dedicated and not dedicated servers and
all the versions of the program released until now.



#######################################################################

===========
3) The Code
===========


A new option has been added to my tool created to test the RogerWilco's
vulnerabilities found by me, check it:


http://aluigi.altervista.org/poc/wilco.zip



#######################################################################

======
4) Fix
======


No fix.

Gamespy has been contacted over a week before the releasing of this
advisory as suggested by the security community if the vendor doesn't
answer to a bug signalation.

Patching (and moreover preventing) this bug is very simple, so I don't
understand why they have not corrected it yet...

Then as explained in my advisory
http://aluigi.altervista.org/adv/wilco-remix-adv.txt
I have "continuely" contacted Gamespy for a lot of time and the only
thing they have done has been ignoring my signalations.



#######################################################################