####################################################################### Luigi Auriemma Application: DirectPlay8 (bug A) and games that use it (bug B) Games: bug A: ANY software that uses DirectPlay8 <= 5.03.2600.2180 (the latest DirectX package available at the moment) bug B: Robot Arena 2, Dungeon Siege 2, Vietcong, Deer Hunter 2004 and 2005, Homeworld 2, Trophy Hunter 2003 and others (for example the testing session of dxdiag and Perimeter) while the games that don't seem vulnerable are: Freelancer, Giants: Citizen Kabuto, Sacrifice, SWINE, Wings of War Platforms: Windows Bugs: A] silent interruption, freeze and access violation B] NULL pointer Exploitation: remote, versus server Date: 18 Jul 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== DirectPlay8 (DP8) is the current version of the network protocol implemented in Microsoft DirectX from over 10 years and it's used in various games (mainly old games) and small server programs. ####################################################################### ======= 2) Bugs ======= --------------------------------------------------- A] silent interruption, freeze and access violation --------------------------------------------------- In reality this is not one bug but at least two problems that can be mainly classified as: - silent interruption of the server, in short the server will no longer handle the incoming packets although everything seems to work perfectly fine (socket, interface, no error messages and so on) this is exploitable through packet 0xc2 - freeze: like above but the process is freezed except some cases where the effect is the same of above, exploitable with various types of packets like 0xc8 - crash: access violation in InterlockedDecrement through packet 0xcc No additional and deeper testing and/or research has been performed. The vulnerability is inside DirectPlay8 so ANY game is affected. --------------- B] NULL pointer --------------- Some games don't verify the data returned by the DP8 layer when it calls their callbacks (functions of the game that get called by dpnet) and so many of these games crash due to a NULL pointer. Note that the list of games reported in the header of the advisory for this bug is referred only to games currently played, I have not listed games that no longer have servers online in this moment or for which I'm not aware of their status or simply that I don't know they use DP8 or I have just not tested. A good but no longer maintained list of games that use DP8 is available here: http://aluigi.org/fakep/dp8games.zip For verifying if a game uses DP8 it's enough to see if the process dpnsvr.exe is active when the server is started. ####################################################################### =========== 3) The Code =========== bug A: http://aluigi.org/fakep/dplay8fp.zip dplay8fp dplay8blah1 SERVER PORT dplay8fp dplay8blah2 SERVER PORT dplay8fp dplay8blah3 SERVER PORT bug B: http://aluigi.org/fakep/dplay8fp.zip http://aluigi.org/fakep/dp8games.zip for testing the bug is necessary to modify the files and/or the pck4 buffer in dplay8fp.c ("data length") replacing a particular integer number (usually 0x58 but varies, sequence 58 00 00 00) with a 0 (so 00 00 00 00). if the d8f file for the specific game is not available or doesn't seem to work it's necessary to collect it first. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################