Rogerwilco 1.4.1.2 and 1.4.1.6 remix of bugs
#######################################################################
Luigi Auriemma
Applications: RogerWilco (http://www.rogerwilco.com)
Versions: 1.4.1.2 (server and client buffer-overflow)
1.4.1.6 (server freeze bug; server and client crash)
Platforms: Windows
Bugs: crash, buffer-oveflow and temporary freeze
Risk: 1.4.1.2: High
1.4.1.6: Medium
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Story
3) Bugs
4) The Code
5) Fix
#######################################################################
===============
1) Introduction
===============
RogerWilco is a real-time voice chat application developed by Gamespy.
Over 2 months ago I released an advisory about the bugs of the previous
2001 version and now after this time I'm releasing another advisory
about similar vulnerabilities...
#######################################################################
========
2) Story
========
The recent RogerWilco's vulnerabilities story is composed by about 3
releases:
MkId3: released in 2001, it has been the latest until the 2003 summer
1.4.1.2: version released to fix the bugs I found in the previous 2001
version (unfortunally it didn't really patch one of them)
1.4.1.6: the "remixed" 2001 version (?)
Before the release of the 1.4.1.2 version, the Gamespy's developers
sent me a beta.
This version FULLY patched the bugs I found in the 2001 version.
After some days the 1.4.1.2 was pubblically released. I decided to give
a look to this version only to be sure that it really fixed the bugs...
and I had a surprise.
A longer nickname (about the double used to exploit the previous 2001
version) causes a buffer-overflow in the server and a broadcast buffer
overflow versus all the 1.4.1.2 clients if you launch the attack versus
a dedicated server.
In fact the dedicated server has never been vulnerable (the problems
are only in the graphical client/server) so it simply forwards the
malformed packet to the attached clients.
Well, naturally I quickly contacted Gamespy reporting the new problem.
Nobody recontacted me but the 8th July 2003 a new version (1.4.1.6)
was released.
I didn't test it quickly because I temporary abandoned this bug
research but after about 2 weeks I decided to test this new version.
The 1.4.1.6 version is very similar to the old 2001 version with some
little differences.
One of these differences in fact is that finally the broadcast buffer
overflow exists no more but at its place now there is a crash caused by
a nickname of at least 33 bytes.
I think that it is the old "remixed" 2001 version because there is a
knockdown evidence: the freeze bug existent in the 2001 version that
was patched in the 1.4.1.2 release...
Well, I recontacted them again asking for explanations and also to
re-report the problems and after some days finally the developers said
they were working to patch these bugs (again???).
Wait, wait and wait again but after over a month nobody has recontacted
me and no new versions have been released.
#######################################################################
=======
3) Bugs
=======
Important note:
---------------
The dedicated server (RWBS) is NOT vulnerable to these bugs.
However if will be used a dedicated server, it will forward the packets
received by the attacker to all the clients attached to it. So everyone
talking on that server will receive the malformed packet and will be
vulnerable to the attack.
The only limits for an attacker are the password (if it has been set by
the server and he don't know it) and the channel because it is needed
as target of the attack.
1.4.1.2:
--------
The 1.4.1.2 version is vulnerable to a buffer-overflow that happens
when a nickname of 1022 bytes long (the 2001 version needed 516 bytes)
is sent to the server but fortunally the server crashes before
forwarding the nickname to the other clients (instead in the 2001
version, the forwarding happened before the crash causing more damage).
1.4.1.6:
--------
The crash in the 1.4.1.6 version happens in NETWORK.DLL if you send a
nickname of at least 33 bytes.
Doesn't seem possible to execute remote code but only to crash the
server or the 1.4.1.6 clients connected to a dedicated server.
The other problem is the old server's freeze bug already seen in the
2001 version (http://aluigi.altervista.org/adv/wilco-adv.txt).
#######################################################################
===========
4) The Code
===========
There are 2 new options in my tool for the testing of the Rogerwilco's
vulnerabilities.
Read the instructions when you launch it to check the new bugs:
http://aluigi.altervista.org/poc/wilco.zip
#######################################################################
======
5) Fix
======
Gamespy has been contacted a lot of time, but they don't want or are
not able to patch the program.
I suggest who use this program to set -=EVER=- a server's password and
to give it only to trusted people, because an attacker needs to have
access to the server to exploit the vulnerabilities.
However check the RogerWilco website for possible updates.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org