Bugtraq mailing list archives
SECOBJADV-2008-03.2: PartyGaming PartyPoker Malicious Update Vulnerability
From: Security Objectives Corporation <advisories () security-objectives com>
Date: Sun, 24 Aug 2008 21:22:23 -0700 (PDT)
====================================================================== = Security Objectives Advisory (SECOBJADV-2008-03.2) = ====================================================================== PartyGaming PartyPoker Malicious Update Vulnerability http://www.security-objectives.com/advisories/SECOBJADV-2008-03.txt AFFECTED: Client software versions are irrelevant because of server changes. See ANALYSIS section below for details. PLATFORM: Intel / Windows CLASSIFICATION: Origin Validation Error (CWE-346) RESEARCHER: Derek Callaway IMPACT: Client-side code execution SEVERITY: Medium DIFFICULTY: Moderate REFERENCES: CVE-2008-3324 BACKGROUND PartyPoker.com (www.PartyPoker.com) is the world's largest online poker brandin terms of number of players and revenues. You'll find a great variety of poker games and tournaments, plus blackjack.
SUMMARY The PartyGaming PartyPoker client program can be forced into downloading amalicious update. This is a result of the PartyPoker client not properly confirming the authenticity of the network update server or the executable update files themselves. When downloading an update, first the client program resolves the DNS address of the update host. Next, it establishes a TCP connection on port 80 of the previously resolved IP address. Then, it sends an HTTP request for an EXE file under the web server's Downloads directory. Upon receiving the HTTP response, the requested portable executable is written to disk and executed.
ANALYSISTo successfully exploit this vulnerability an attacker must be able to somehow position themself such that they can impersonate the update server.
This can be accomplished through DNS cache poisoning, ARP redirection,TCP hijacking, impersonation of a Wi-Fi Access Point, etc. The attacker also would have configured a rogue web server to push out update code of their choosing.
Before PartyPoker downloads the update it communicates with another PartyGaming server in the 88.81.154.0/24 subnetwork via SSL to determine if a new client update is available; if so, a HTTP GET request is sent to www1.partypoker.com for an EXE file in the /Downloads/en/vcc directory and is stored on the local filesystem under C:\Programs\PartyGaming\tmpUpgrade and executed. Afterwards, the user may login and operate the PartyPoker client as usual.
Since the update itself is downloaded from a seperate server, the client can contact the legitimate PartyGaming server during exploitation to determine if an update is available as normal. The attacker only needs to masquerade as www1.partypoker.com.
The server-side modification that has been implemented by PartyGaming causes the first SSL connection to communicate an HTTPS URL for www1.partypoker.com so that the update itself is downloaded over SSL as well. WORKAROUND None VENDOR RESPONSEThe vendor was contacted initially and fully aware of the vulnerability. However, after unsuccessfully attempting to reestablish dialogue multiple times with limited responsiveness over a period of several months, Security Objectives proceeded with the advisory.
After the initial advisory was released, PartyGaming contacted Security Objectives and added support for HTTPS/SSL to the second update server.
DISCLOSURE TIMELINE 20-Feb-2008 Discovery of Vulnerability 22-Feb-2008 Developed Proof-of-Concept 25-Feb-2008 Reported to Vendor 14-Aug-2008 Published Advisory 14-Aug-2008 Vendor Modified Server to Utilize HTTPS/SSL 18-Aug-2008 Coordinated Second Version of Advisory with Vendor 25-Aug-2008 Released New Advisory ABOUT SECURITY OBJECTIVES Security Objectives is a security centric consultancy and software developmentcorporation which operates in the area of application assurance software. Security Objectives employs methods that are centered on software comprehension, therefore a more in-depth contextual understanding of the application is developed.
http://security-objectives.com/ LEGAL Permission is granted for electronic distribution of this advisory. It may not be edited without the written consent of Security Objectives.The information contained in this advisory is believed to be accurate based on currently available information and is provided "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the information is with you.
Current thread:
- SECOBJADV-2008-03.2: PartyGaming PartyPoker Malicious Update Vulnerability Security Objectives Corporation (Aug 25)