UPDATE: Funcom has since released several patches. See the updates section below (last update 9/24/08).
A story in the Baltimore Sun about this work is available here. It appears the article is no longer available, however you can still read about it on the columnist's blog here.
UPDATE: Fox 45 Baltimore covered this work in a Cover Story on approximately 11/5/08 here.
Our victim, before the attack.
Security researchers Dan Caselden and Gabriel Landau at Independent Security Evaluators recently uncovered two security vulnerabilities present in the popular new and entertaining online game, Age of Conan, produced by Funcom. It was then determined that the game's equally engrossing predecessor, Anarchy Online, contains the same two vulnerabilities. These vulnerabilities allow an attacker to read arbitrary files off of a victim's computer, crash the games during online play, and in the case of Anarchy Online, fully compromise a victim's machine giving the attacker full control of the targeted computer.
The directory traversal vulnerability found in both Age of Conan and Anarchy online allows the reading of arbitrary files off of a victim's computer. Specifically, ASCII-based files (and even then only the first few lines) are readable by way of this vulnerability. While this is not an end-all method for stealing files from another computer, it provides a dangerous and unnecessary avenue for obtaining personal or financial information through well crafted and easily executed attacks.
The obviously more severe vulnerability in Anarchy Online allows an attacker to fully control the victim's computer. This can lead to loss of personal information, passwords, account information, and could result in the victim's computer being further used in attacks against other computers. In our demonstration, the victim's user name and password for Anarchy Online are sent to the attacker, allowing them full access to the victim's account. Characters, items, gold and even full accounts are frequently sold online for real money, making these sorts of attacks through online games directly profitable for attackers.
This is not ISE's first demonstration of how online games can be exploited for profit. See Charlie Miller's work with Second Life.
How the Exploit Works
The directory traversal and arbitrary file reading exploit is simply done by creating a hyperlink during online game play, which when clicked by a victim causes that victim to "speak" the contents of a file, making it available to any players within a short virtual distance of the victim.
The full compromise of a victim playing Anarchy Online is a two-step process. First, the victim clicks an in-game link that opens up a web browser to the attacker's web page containing seemingly innocuous content. The web page silently writes a cookie to the victim's computer containing the actual attack payload. The victim then clicks on a second in-game link that executes the downloaded cookie as a game script. This cookie has been specially crafted to overflow a buffer in Anarchy Online's script processing engine and overwrites the stack with the attacker's own executable code.
Our Demonstration Exploit
Hi-Res (25MB) version available also.
First, the victim is instructed to "view" our attack web page. The cookie payload is then secretly delivered to the victim's computer. As the page reads "under construction" the user is encouraged to try the second link. This time, the payload delivered in the original cookie is loaded and overflows a buffer within the game's memory. Our exploit code then uses the game's internal functions to make the victim's avatar start dancing uncontrollably and equip an item (in this case, a bathing suit) as though the victim were doing these things him/herself. Once in control of the computer, our exploit downloads a second program from our server and executes it. This program reads the victim's Anarchy Online account user name and password from the game's memory and uploads it to our FTP server. Finally, it opens a web browser pointing to a website of our choice.
During gameplay, the contents of in-game links are shown when a player hovers the mouse pointer over the text of the link. Before clicking a link, it is important to spend a second to review where the link will take you. If you don't recognize the destination, don't click the link. Just as with any links in spam or phishing emails you may receive, play it safe.
Funcom, the makers of both of these exceptional games have been contacted regarding these vulnerabilities.
We can be reached by phone at 443-270-2296.
9/24/08 - Anarchy Online was patched today, resolving a minor issue that we discovered since originally writing this page. Additionally, the buffer overflow vulnerability in Age of Conan was fixed sometime earlier this month.
8/28/08 - Funcom released patches for both games today. Both vulnerabilities were fixed in Anarchy Online. In Age of Conan, the directory traversal vulnerability has been fixed, but the buffer overflow remains. We do not believe that the buffer overflow alone currently poses a serious risk to players, but we recommend that Funcom fix it promptly so it cannot be used in any future hybrid attacks. In the meantime, we suggest that players exercise caution when downloading custom game scripts from third parties.