Greetings Mortals!
Hope you are all well this festive season ;)
I decided to audit some "publicly" available backpage releases for security issues and was surprised by how many public servers were actually run these epic'ly flawed packages. I'd like to disclose this now before I start, I WILL NOT BE RELEASING ANY INFORMATION ABOUT THE SECURITY ISSUES OR DATA RETRIEVED EXCEPT TO THOSE WHO RUN EACH INDIVIDUAL SERVER. In case the bold red words still didn't get it across to you, leave now, or I will hurt you.
Icon8
Lets start with the Icon8 project which from some open web audits around 75% of private servers are running or based on, including LightOrbit, SkyUniverse and other big name servers.
Icon8 not only suffers from massive amounts of SQL Injection holes, but also does nothing to defend against them. Along with that there are numerous issues with the configuration it comes with and the actual GameServer itself is flawed in the fact that you can actually SQL Inject the GAME SERVER itself for information (second order attack). Need proof? Like I said I'm not disclosing any private information here nor am I going to show you how to do it, but I will point out some things so you can fix it if you wish to do so.
Lets start with the way Icon8 handles SQL Injection prevention. Some extracts from its source code show two methods of sanitization: `GetSQLValueString` and `addslashes`. Both are extremely easy to bypass with a bug in character encoding. magic_quotes_gpc is not meant for SQL sanitization either and is just as easy to bypass. This is the only protection used to sanitize EVERYTHING that comes from the user and is poor. It gets worst as there are numerous places where there is no protection at all! Take a look here:
externalSignup.php: Lines 6-12
A simple Error-based MySQL Injection could easily exploit this due to two things. First, they use a POST parameter directly in a query, and second, they `or die` the query, meaning that any error in the query will be printed plain to see by everyone when they try to signup.
Then you have Time-based SQL exploitation in SkyUniverse's "buy.php" script.
For those of you who don't believe it or need more motivation to actually fix it... here is some table schema I dumped from SkyUniverse (Sorry Requi for using you as an example):
Like I said, I managed to dump almost 50% of their database (it glitched out after their DB died), but those details won't be published here.
More details on other backpage packages will be added here when I get the time to look over them.
Fixing this is reasonably easy to be honest. I'm not gonna teach you how to do decent sanitization of EVERYTHING, but I will show you how to do MySQL Sanitization to stop 99.99% of all SQL Injections (the rest are unknown 0days :P). For starters in Icon8, where ever you use a variable in a query, escape it with the official escaping function, not some makeshift missmatch of other PHP functions. `mysql_real_escape_string` is there for a reason! An example on how to fix the above injection?
This prevents against error messages giving away information on your queries AND protects against any SQL Injection in the 'signup_username' parameter. I also suggest replacing every single one of these:
with this:
(Obviously don't just do it for $_SESSION['MM_Username'] but do it anywhere you see get_magic_quotes_gpc and addslashes).
You can also replace every single GetSQLValueString with mysql_real_escape_string
I suggest you to change your password for any accounts where the password is the same as one you have used on any private server, you don't know who has access to it... and the fact that Icon8 uses unsalted MD5 hashes for passwords simply adds to the entire security issues.
-jD
Hope you are all well this festive season ;)
I decided to audit some "publicly" available backpage releases for security issues and was surprised by how many public servers were actually run these epic'ly flawed packages. I'd like to disclose this now before I start, I WILL NOT BE RELEASING ANY INFORMATION ABOUT THE SECURITY ISSUES OR DATA RETRIEVED EXCEPT TO THOSE WHO RUN EACH INDIVIDUAL SERVER. In case the bold red words still didn't get it across to you, leave now, or I will hurt you.
Icon8
Lets start with the Icon8 project which from some open web audits around 75% of private servers are running or based on, including LightOrbit, SkyUniverse and other big name servers.
Icon8 not only suffers from massive amounts of SQL Injection holes, but also does nothing to defend against them. Along with that there are numerous issues with the configuration it comes with and the actual GameServer itself is flawed in the fact that you can actually SQL Inject the GAME SERVER itself for information (second order attack). Need proof? Like I said I'm not disclosing any private information here nor am I going to show you how to do it, but I will point out some things so you can fix it if you wish to do so.
Lets start with the way Icon8 handles SQL Injection prevention. Some extracts from its source code show two methods of sanitization: `GetSQLValueString` and `addslashes`. Both are extremely easy to bypass with a bug in character encoding. magic_quotes_gpc is not meant for SQL sanitization either and is just as easy to bypass. This is the only protection used to sanitize EVERYTHING that comes from the user and is poor. It gets worst as there are numerous places where there is no protection at all! Take a look here:
externalSignup.php: Lines 6-12
PHP Code:
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
$loginUsername = $_POST['signup_username'];
$LoginRS__query = "SELECT usuario FROM cuentas WHERE usuario='" . $loginUsername . "'";
mysql_select_db($database_DO, $DO);
$LoginRS=mysql_query($LoginRS__query, $DO) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
Then you have Time-based SQL exploitation in SkyUniverse's "buy.php" script.
For those of you who don't believe it or need more motivation to actually fix it... here is some table schema I dumped from SkyUniverse (Sorry Requi for using you as an example):
Code:
8 tables - +------------+ | accounts | | clans | | maps | | ranks | | servers | | settings | | ships | | useronline | +------------+ accounts.csv - id,uridium,ep,pi,hp,gfx,pos,sex,age,lvl,rank,ship,maps,mun2,city,mun1,clan,speed,cargo,hpMax,files,slot4,title,honor,shield,drones,skylab,lastIP,petlvl,config,petname,jackpot,premium,credits,configs,fraction,cargoMax,password,username,interests,bootykeys,shieldMax,inventario,cario,createdate,teihfactory,jump_voucher,ultimaConexion,repair_voucher,status_message
More details on other backpage packages will be added here when I get the time to look over them.
Fixing this is reasonably easy to be honest. I'm not gonna teach you how to do decent sanitization of EVERYTHING, but I will show you how to do MySQL Sanitization to stop 99.99% of all SQL Injections (the rest are unknown 0days :P). For starters in Icon8, where ever you use a variable in a query, escape it with the official escaping function, not some makeshift missmatch of other PHP functions. `mysql_real_escape_string` is there for a reason! An example on how to fix the above injection?
PHP Code:
$MM_flag="MM_insert";
if (isset($_POST[$MM_flag])) {
$loginUsername = mysql_real_escape_string($_POST['signup_username']);
$LoginRS__query = "SELECT usuario FROM cuentas WHERE usuario='" . $loginUsername . "'";
mysql_select_db($database_DO, $DO);
$LoginRS=@mysql_query($LoginRS__query, $DO);
$loginFoundUser = mysql_num_rows($LoginRS);
PHP Code:
get_magic_quotes_gpc()) ? $_SESSION['MM_Username'] : addslashes($_SESSION['MM_Username'])
PHP Code:
mysql_real_escape_string($_SESSION['MM_Username'])
You can also replace every single GetSQLValueString with mysql_real_escape_string
I suggest you to change your password for any accounts where the password is the same as one you have used on any private server, you don't know who has access to it... and the fact that Icon8 uses unsalted MD5 hashes for passwords simply adds to the entire security issues.
-jD
