See the advisory: http://aluigi.altervista.org/adv/wilco-again-adv.txt extract: Application: RogerWilco http://rogerwilco.gamespy.com Versions: - RogerWilco <= 1.4.1.6 - RogerWilco Base Station <= 0.30a Platforms: Windows, MacOS, Linux and FreeBSD Bugs: A] Crash with malformed UDP packet B] "Voices from the deep" bug C] Privacy problems D] Annoying attacks Risk: (not needed) Exploitation: remote, versus server and client (channel broadcast) Date: 31 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org =============== 2) Bugs summary =============== ---------------------------------- A] Crash with malformed UDP packet ---------------------------------- A special crafted UDP packet (big and with some big values in it) sent to the UDP audio port of RogerWilco will immediately crash the server or the client. ----------------------------- B] "Voices from the deep" bug ----------------------------- Is possible for anyone to talk into a channel without being into it but simply sending the audio stream directly to the server or to a specific client inside the same channel. The audio stream will be transmitted to anyone in the channel or also only to a specific user or group of users. Only trasmission is possible, not reception. ------------------- C] Privacy problems ------------------- Both client and server report a lot of informations, the server for example shows all the IP addresses and port used by clients and clients show the server IP to which they are connected. ------------------- D] Annoying attacks ------------------- The dedicated server shows the message "nothing read from recv" when someone connects to its port 18009 and disconnects without sending data. Making a lot of empty connections the server's administrator will be flooded by these messages. The GUI application refreshs its entire window when a user enters, exits or changes his nickname. If someone changes his nickname infinitely times all the users in the same channel will have some bad effects as the impossibility to take the control of their application. regards, Tobias
Mike -- you're the last person that touched net-misc/rwbs (12/2002). Can you review/comment/patch if needed? Only keywords in the ebuild are x86, so no other arches are affected/need to be consulted as part of this bug.
from the gamespy website: Version 0.27 is our latest release for the Base Station for Linux and FreeBSD. Version 0.30a is the lateste release for Windows and reports to the GameSpy Master Servers. in other words, they havent released a fix yet ... was this even sent to them ?
emailing the author of the vuln. notice to find out.
The original author (aluigi@altervista.org) did not bother to inform gamespy about this problem. He indicated he didn't feel it was worth the time since (in his opinion) they never responded to problem/bug reports anyway. I have sent an email to rogerwilco@gamespy.com (the only contact address I could find on their web site) and am awaiting a response. The only semi-serious issue in this particular report is the crashing bug which, at worst, leads to a DoS on the program itself. So, pending a response from gamespy, am downgrading to normal.
I received a response from Gamespy: "Hi Kurt, I sincerely apologize for this late response to your issue. I have forwared your email to our programmers for comment." on April 23rd. So far, no response from the programmers. At worst, this program allows itself to be crashed. It doesn't appear to affect any other parts of the operating system or other programs. It doesn't appear to allow overwriting of files or arbitrary code execution. Basically, it doesn't seem like a big deal. Marking as cantfix for now. No patch from the vendor == can't fix. Because it's not a big risk, I don't think we need to security mask it, either.
