Tuesday, April 16, 2013

DAoC vulnerability update

So I got a mail back from the janitor at Mythic regarding my vulnerability report:

Hello Karl,

Thank you for contacting Dark Age of Camelot Support.

With regard to your appeal, Ticket#: [XXXXX], we cannot field feedback or suggestions regarding how the game may be altered or improved. However, your opinions and thoughts are always valued!

To appropriately submit your suggestions and feedback regarding game content, mechanics, or design, please go to http://darkageofcamelot.com/contact. On this page, you will find a form which will allow you to submit your suggestions and opinions directly to our development team.

This email address is only for issues of a billing or technical nature, and not issues related to feedback or concerns regarding elements of the game.

Thank you for playing Dark Age of Camelot!
XXXX

 Oh boy... what can I say... FAIL!


Monday, April 15, 2013

Hacking the central heating

The central heating I have installed in my home (Integra Zero F29e) doesn't have any network functionality or possibility to interface with a computer. It's using a 2 wire thermostat as a control. The thermostat is powered from the 2 wires it uses to communicate with the central unit.


As I was interested in a computer interface, I set out to investigate what my options were. After some googling around, I got up to speed on the types of interfaces that exist for these kinds of devices. It seems there are 2 major interfaces. One is called Ebus and the other OpenTherm. Both of these have been dissected by hobbyists and therefor there are devices / schematics available to make an interface.

When I started this endevour, I only had a multimeter available. Measuring the 2 wires, it gave a voltage around 20-24v, which led me to believe it was an Ebus interface. So I put something together to convert the data on the bus to TTL levels, since Ebus is just 9600bps serial communication. However, it didn't quite work out.

While researching all this stuff, I figured an oscilloscope would come in handy and since these days you can pick up a digital oscilloscope pretty cheap, I went ahead and ordered a cheap Rigol DS1052e. Once I had the scope, it quickly became apparent that this system wasn't Ebus based.

As I was already on a shopping spree, I also got myself an Open Workbench Logic Sniffer and some arduino's.



I figured it would be simpler to bypass the bus driving circuit, so I had a look at the PCB of the central unit. The PCB was quite simple, it's nothing more than a couple of relays controlled by a microprocessor, in this case an ST62T25.

Here the scope came in handy to check the pins on the MCU, which helped me to figure out which pins were used for the transmission and reception of data. With this knowledge, I could hook up the logic sniffer on those pins and get a dump of the data transmission. Here's how it looked:



For anyone with the same device, the data of the MCU pins are available from the topside of the PCB at points J1 (green wire) and J10 (white wire), the black wire is just a ground point.



With the logic dump available, my next step was to try and decode it. Which I'll explain in another post.


Saturday, April 13, 2013

Blast from the past

Since I've been talking about game security the last couple of posts. I figured I revisit an old target I once investigated.

Many many moons ago I blogged about getting Dark Age of Camelot to run in wine. While reversing that game, I also had a look at how the actual game connection works, because that's something that always interests me, ie. the security aspect of it. In this case, there was an extra reason to have a look, since at one time early on in the game's life, a security issue was found and reported to them:

CVE-2004-1855
Dark Age of Camelot before 1.68 live patch does not sign the RSA public key, which could allow remote malicious servers to gain sensitive information via a man-in-the-middle attack.
A more detailed description is available at:
http://capnbry.net/daoc/advisory20031211/daoc-billinginfo-exploit.html

So fast forward 10 years, you'd think it would be pretty secure by now... unfortunately it appears it's still flawed in some way. The thing is, even after all these years, the game is still susceptible to a man-in-the-middle attack. It's perfectly possible to intercept / proxy a connection from the game without needing any details / account info from the player.

So how does the game connection work?

The communication is rather straight forward. There's only 1 connection maintained between the client and the server. The game supports both UDP or TCP for it's game session. This probably stems from the old days where most players actually used a dialup connection, where you don't want TCP retransmissions to cause issues.

Most of the game packets are known. There has been an emulator around for quite some time now and since it's open source, anyone can have a glimpse at how it all works.

The connection is encrypted with RC4. It generates a random session key which gets exchanged via RSA encryption. The generation of the RC4 key could also be improved, since how it currently is done, makes it extremely easy to intercept by using some virtualization techniques. This has as effect that one can get the game to generate the key you want, without having to make any patches to the game client, which is imho not a good thing.

But worse is the fact that this all doesn't matter, due to another vulnerability. But before explaining that one, I'll see if there's still anyone in charge of the game code (most players of the game, seem to think the janitor is the only guy left in the building.. so we'll see how it goes)

Anyway, let's hope the old Mythic gang @ City State Entertainment will have a better security track record if their Kickstarter project, Camelot Unchained, funds!


Fixed!

So I was finally contact by ArenaNet regarding the issue I mentioned. It seems my original mail regarding the issue I posted about, was unfortunately lost in cyberspace. So they never read my report.

Anyway, I must say I was pleasantly surprised by the way they handled it. Respect!

Thursday, April 11, 2013

Fixed?!

"We've updated the game for routine maintenance only. No content changes were included. ~RB2"
-- https://twitter.com/GuildWars2/status/322082110334697472

It seems the GwSrv and AuthSrv libraries aren't on the CDN. I wonder if they finally fixed their leak?! Sad that mailing them didn't work, but posting about it got the job done... The old files however are still present.