Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 46380

Summary: net-misc/rwbs: 4 security related bugs in Roger Wilco
Product: Gentoo Security Reporter: Tobias Weisserth <tobias>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED CANTFIX    
Severity: normal CC: vapier
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://aluigi.altervista.org/adv/wilco-again-adv.txt
Whiteboard:
Package list:
Runtime testing required: ---

Description Tobias Weisserth 2004-03-31 11:03:59 UTC
See the advisory:

http://aluigi.altervista.org/adv/wilco-again-adv.txt

extract:

Application:  RogerWilco
              http://rogerwilco.gamespy.com
Versions:     - RogerWilco              <= 1.4.1.6
              - RogerWilco Base Station <= 0.30a
Platforms:    Windows, MacOS, Linux and FreeBSD
Bugs:         A] Crash with malformed UDP packet
              B] "Voices from the deep" bug
              C] Privacy problems
              D] Annoying attacks
Risk:         (not needed)
Exploitation: remote, versus server and client (channel broadcast)
Date:         31 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org

===============
2) Bugs summary
===============


----------------------------------
A] Crash with malformed UDP packet
----------------------------------

A special crafted UDP packet (big and with some big values in it) sent
to the UDP audio port of RogerWilco will immediately crash the server
or the client.


-----------------------------
B] "Voices from the deep" bug
-----------------------------

Is possible for anyone to talk into a channel without being into it but
simply sending the audio stream directly to the server or to a specific
client inside the same channel.
The audio stream will be transmitted to anyone in the channel or also
only to a specific user or group of users.
Only trasmission is possible, not reception.


-------------------
C] Privacy problems
-------------------

Both client and server report a lot of informations, the server for
example shows all the IP addresses and port used by clients and clients
show the server IP to which they are connected.


-------------------
D] Annoying attacks
-------------------

The dedicated server shows the message "nothing read from recv" when
someone connects to its port 18009 and disconnects without sending
data.
Making a lot of empty connections the server's administrator will be
flooded by these messages.

The GUI application refreshs its entire window when a user enters,
exits or changes his nickname. If someone changes his nickname
infinitely times all the users in the same channel will have some bad
effects as the impossibility to take the control of their application.

regards,
Tobias
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 11:08:24 UTC
Mike -- you're the last person that touched net-misc/rwbs (12/2002).  Can you review/comment/patch if needed?  

Only keywords in the ebuild are x86, so no other arches are affected/need to be consulted as part of this bug.
Comment 2 SpanKY gentoo-dev 2004-03-31 22:36:25 UTC
from the gamespy website:
Version 0.27 is our latest release for the Base Station for Linux and FreeBSD. Version 0.30a is the lateste release for Windows and reports to the GameSpy Master Servers.

in other words, they havent released a fix yet ... was this even sent to them ?
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 23:04:07 UTC
emailing the author of the vuln. notice to find out.
Comment 4 Kurt Lieber (RETIRED) gentoo-dev 2004-04-01 01:18:31 UTC
The original author (aluigi@altervista.org) did not bother to inform gamespy about this problem.  He indicated he didn't feel it was worth the time since (in his opinion) they never responded to problem/bug reports anyway.

I have sent an email to rogerwilco@gamespy.com (the only contact address I could find on their web site) and am awaiting a response.

The only semi-serious issue in this particular report is the crashing bug which, at worst, leads to a DoS on the program itself.  So, pending a response from gamespy, am downgrading to normal.
Comment 5 Kurt Lieber (RETIRED) gentoo-dev 2004-05-13 09:24:55 UTC
I received a response from Gamespy:

"Hi Kurt,

I sincerely apologize for this late response to your issue.

I have forwared your email to our programmers for comment."

on April 23rd.  So far, no response from the programmers.  At worst, this program allows itself to be crashed.  It doesn't appear to affect any other parts of the operating system or other programs.  It doesn't appear to allow overwriting of files or arbitrary code execution.  Basically, it doesn't seem like a big deal.

Marking as cantfix for now.  No patch from the vendor == can't fix.  Because it's not a big risk, I don't think we need to security mask it, either.