#######################################################################

                             Luigi Auriemma

Application:  Gamespy cd-key validation SDK
              http://www.gamespy.net
Versions:     before 20 November 2004
Games:        due to the implementation of this SDK is hard to test and
              list all the vulnerable games, however the following is
              the official list of games that use the various Gamespy
              SDKs (so not only the cd-key SDK):
                http://www.gamespy.net/partners/
              While the following is a partial list, maintained by me,
              of the games that use the cd-key validation SDK:
                http://aluigi.altervista.org/papers/gshlist.txt
Platforms:    any platform supported
Bug:          buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         10 December 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Gamespy cd-key validation SDK is a toolkit developed by Gamespy
(http://www.gamespy.net) and used by many games to handle the
verification of the cd-keys online.


#######################################################################

======
2) Bug
======


Before explaining the bug is important to specify that this is an
in-game bug so the attacker needs to have access to the vulnerable
server and, in this specific case, also to know the game's protocol or
to use a debugger to exploit the vulnerability, and furthermore it
depends by how the developers have implemented the Gamespy SDK in their
games.

In fact the problem is a buffer-overflow caused by a too long response
string sent by the client to the server, so a game is not vulnerable
"only" if its developers have inserted a limitation in the length of
the string received from the client (but I doubt that someone did it).

When the server receives the client's string it calls the sprintf()
function to build the query for the cd-key validation:

    query_length = sprintf(
        query,
        "\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d",
        pid,    // product ID of the game
        ch,     // server challenge
        resp,   // client response <-- the cause of the bug!
        ip,     // client IP address
        skey);  // number to track the query

An explanation of the authentication method used by the Gamespy cd-key
validation SDK is available here:
  http://aluigi.altervista.org/papers/gskey-auth.txt

The buffer-overflow happens just during this instruction and then the
query is encoded using the classical XOR operation with the word
"gamespy" to be sent to the Gamespy master server.


#######################################################################

===========
3) The Code
===========


I have written a proof-of-concept only for the game Gore because its
protocol is enough simple:

  http://aluigi.altervista.org/poc/goregsbof.zip

For other games an idea is the usage of a debugger on the client for
the interception of the client string just generated that must be
substituited with a bigger one and then is needed to force the game to
use the entire big string since usually are used only the normal 73
bytes.


#######################################################################

======
4) Fix
======


The bug has been fixed the 19 November 2004, so the developers of the
vulnerable games have had a lot of time for checking their games and
patching them if needed.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org