|
|
|
|
| |
GamePort is "a very common program in Iran used for Gamenets and Coffenets. GamePort has two parts a client and a server. Each customer of Coffenet or Gamenet has an ID and a password and by this ID and password he can access one of PCs in the Gamenet or Coffenet.
The user credits will be count down from time he will log in to system GamePort until he will log out. In the case the users credits has expired the computer will be restarted and he can logon again after he buys new credits".
The GamePort program has been found to contain multiple vulnerabilities ranging from bypassing the credits counting mechanism to decryption of the administrative password of the machine. |
| |
Credit:
The information has been provided by amoXi & Dr.vaXin.
|
| |
Vulnerable Systems:
* GamePort version 3.0
* GamePort version 3.1
* GamePort version 4.0
Credit Counting Bypass:
In ID editbox put your username and in the password editbox put your password followed by "^^#LOGOFF#" string.
For example:
ID : 101
Password : 123^^#LOGOFF#
This will cause you to be loged on but the server to not count down your credits.
Reversible Administrative Password:
The admin password of the server can be easily recovered from the decoded value it is stored with in the registry.
The following Visual Basic code will decode the password located in HKEY_CURRENT_USER\Software\GamePortServer under the value of AdminPasswd (for versions 3.0 and 3.1), or under HKEY_CURRENT_USER\Control Panel\Accessibility under the value of Owner (for version 4.0):
DeCodedStr = DeCodedStr & Chr(Asc(Mid(CodedStr, x, 1)) - CInt(Mid("456725567897566789775236659871125486593412312567841", x, 1))
Proof of Concept:
A complete Visual Basic source code that decodes the password can be downloaded from: http://www.sharemation.com/devilkins/GPSPDecode.zip
Remote Command Execution:
You can cause a remote user or even an administrator to execute arbitrary commands without admin password by issuing a a specially crafted message.
Proof of Concept:
1. Right click on the mouse over an icon of client PC in the main window of GamePort server that you want to call an application on or change it's admin password.
2. Choose the item "Send message to user..."
3. In the editbox type "^^#CALL#:application_name.exe" and push send
The application_name.exe will be launched on the remote computer without requiring any user intervention.
You can change admin password by typing "^^#CHANGEPSSWD#:New password" instead of above message.
Examples:
"^^#CALL#:CMD.exe"
"^^#CHANGEPSSWD#:123"
Denial of Service due to Excessive Amounts of '\':
Using the previous vulnerability but calling up the application named "\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\.exe" or "//////////////////////////////////////////////.exe" will cause the client being attacked to consume excessive amounts of CPU time.
|
|
|
|
|
