####################################################################### Luigi Auriemma Application: Gamespy cd-key validation SDK http://www.gamespy.net Versions: before 20 November 2004 Games: due to the implementation of this SDK is hard to test and list all the vulnerable games, however the following is the official list of games that use the various Gamespy SDKs (so not only the cd-key SDK): http://www.gamespy.net/partners/ While the following is a partial list, maintained by me, of the games that use the cd-key validation SDK: http://aluigi.altervista.org/papers/gshlist.txt Platforms: any platform supported Bug: buffer-overflow Exploitation: remote, versus server (in-game) Date: 10 December 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Gamespy cd-key validation SDK is a toolkit developed by Gamespy (http://www.gamespy.net) and used by many games to handle the verification of the cd-keys online. ####################################################################### ====== 2) Bug ====== Before explaining the bug is important to specify that this is an in-game bug so the attacker needs to have access to the vulnerable server and, in this specific case, also to know the game's protocol or to use a debugger to exploit the vulnerability, and furthermore it depends by how the developers have implemented the Gamespy SDK in their games. In fact the problem is a buffer-overflow caused by a too long response string sent by the client to the server, so a game is not vulnerable "only" if its developers have inserted a limitation in the length of the string received from the client (but I doubt that someone did it). When the server receives the client's string it calls the sprintf() function to build the query for the cd-key validation: query_length = sprintf( query, "\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d", pid, // product ID of the game ch, // server challenge resp, // client response <-- the cause of the bug! ip, // client IP address skey); // number to track the query An explanation of the authentication method used by the Gamespy cd-key validation SDK is available here: http://aluigi.altervista.org/papers/gskey-auth.txt The buffer-overflow happens just during this instruction and then the query is encoded using the classical XOR operation with the word "gamespy" to be sent to the Gamespy master server. ####################################################################### =========== 3) The Code =========== I have written a proof-of-concept only for the game Gore because its protocol is enough simple: http://aluigi.altervista.org/poc/goregsbof.zip For other games an idea is the usage of a debugger on the client for the interception of the client string just generated that must be substituited with a bigger one and then is needed to force the game to use the entire big string since usually are used only the normal 73 bytes. ####################################################################### ====== 4) Fix ====== The bug has been fixed the 19 November 2004, so the developers of the vulnerable games have had a lot of time for checking their games and patching them if needed. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org