September 1, 2008

Age of Conan hyperlink exploit vulnerability fixed

As you very well know, Age of Conan's chat system (which the game inherited from Funcom's other MMORPG, Anarchy Online) allows the users to link to items and even post hyperlinks. Those are usually used for guild recruitment, but according to a recent publication from a security expert firm 'Independent Security Evaluators', in-game links could be used for malicious purposes as well. This affects both of Funcom's MMOs, because, as I mentioned before, they share the same chat system. Two types of attacks were possible in Age of Conan:

  1. The so-called 'directory traversal vulnerability'. By clicking an in-game hyperlink, the player's character could be forced to 'read' (post in the 'Say' chat) a plain text file located anywhere on his computer, one line at a time - since the game interprets each one of them as a script command. If you have AoC installed in C:\Program Files\Funcom\Age of Conan, for example, a link that would make your character read a file located at C:\mysecretdiary.txt would look something like this: ../../../mysecretdiary.txt. Looks harmless enough, unless you like keeping all your passwords in a text file named passwords.txt on your desktop, or have one full of Age of Conan's emote commands - but even then, the hacker would have to guess the location of it.
  2. The buffer overflow attack. By employing the same tactics, the hacker tricks a player into clicking a hyperlink. The game script parser cannot handle extremely long lines of text, so if the link is pointed to, for example, ageofconan.exe (a huge file), the game client promptly crashes.
Like I mentioned before, AO is also susceptible to this bug; in fact, the exploit could do much more harm there, since it actually allows the hacker to gain access to the victim's computer. This requires the player to click two hyperlinks, first of which opens an actual website and places a special cookie on his computer, and the second one, which executes the said cookie by means of previously mentioned 'directory traversal' bug. It is all demonstrated in a cool video from ISE that you can watch on YouTube below or download a high quality version from the creator's website. The poor guy in this clip gets pwned and his Anarchy Online account details are sent to the hacker.

It seems Funcom has acted on ISE's warning quickly and released patches fixing the first vulnerability in both AoC and AO. The second vulnerability is apparently still in the game though; here's what ISE guys had to say about that:
We do not believe that the buffer overflow alone currently poses a serious risk to players, but we recommend that Funcom fix it promptly so it cannot be used in any future hybrid attacks. In the meantime, we suggest that players exercise caution when downloading custom game scripts from third parties.
So, the standard stuff - find out what you're clicking before you click... And you should really get Firefox + NoScript as well and set it as your default browser instead of that outdated IE; it makes surfing much more secure.

Anyway, I haven't seen any of those links floating around in AoC. Then again, I don't really pay much attention to guild recruitment links, not to mention actually clicking. Has anyone seen people posting these, or perhaps even fallen a victim to one of those exploits himself?

1 comment:

Nyhm said...

Very nice article. I reference you from my article on potential chat exploits.

Post a Comment