You play I hack you … ReVuln online poker security

Pierluigi Paganini April 11, 2013

One of the most interesting company in security landscape is ReVuln, its researchers specialize in the security assessment and are the authors or various interesting studies on large scale applications and SCADA systems, few weeks ago I presented their work on vulnerability assessment on Gaming platforms.

This time I desire to present another excellent analysis of the security experts at ReVuln that provided a cursory overview of iGaming, and Client Poker Software security, the study revealed some security vulnerabilities and design issues affecting some of the most widely platforms provided by different companies in various countries.

The paper produced examined security of a set of online poker solutions, highlighting the current status of the florid gaming sector, Online Gaming (also known as Online Gambling and iGaming) is one of most remunerative market, in particular  Online Poker conveys around 30 billion US dollar attracting millions of players worldwide.

The security of the Online Gaming Sector is crucial and gaming authorities were following objectives:

  • Protecting players’ rights
  • Promoting responsible gaming
  • Monitoring licensed companies
  • Deciding the minimal level of security that must be adopted
  • Collecting taxes on behalf of the governments

That could be reached only if security of any component of the platforms is ensured.

The first consideration that must be done is that gaming platforms are composed of various components such as client and server side software, network infrastructure and games applications for online casino, in many cases this technology is provided by different providers with obvious repercussion on overall security.

The software component assumes a central role in gaming platforms, the researchers highlighted that main difference between online poker and the rest of the iGaming products is that first group relies on client-side software which runs directly on the player’s computer.

Client software has to manage real time data providing to the gamer a friendly environments fully customizable and multi-platform, from the attacker’s perspective they could represent the access doors to the entire infrastructure.

The ReVuln researchers identified the surface of attack of client components, software updates are considered a very important aspects for gaming software, this software evolve continuously in their life cycle that’s why auto-update feature is crucial. But update mechanisms could also be exploited by attackers, in the initialization phase the software usually are executed the necessary operations to update the software, in this moment attackers can inject malicious code on the player’s system.

The client software developed by B3W is used in many Skins, such as Yachting Poker and PKRaise, but update mechanism is performed over an insecure HTTP connection to b3w.fileburstcdn.net where the list of updates and the files are stored without signatures and the EXEs (which are digitally signed) are not verified before their execution. In this situation at least three types of issues were identified:

  • Injecting of malicious EXEs, which are executed immediately by the software for auto-updating itself:

“c:\path\tmp_executable.exe” “c:\path\executable.exe” update

  • Directory traversal that allows any files where the software is installed to be created or overwritten.
  • Stack based buffer-overflow while copying the newly generated update link containing the filename provided by the attacker:
_mbscpy (stack_buffer ,
“http://b3w.fileburstcdn.net:80/updates_SKIN/aaa…aaa”);
 

The attackers could benefit of various technologies and scenarios, injection could be conducted by malware that infected victims or could be caused by the use   of unsecure communication channels such as a public connection or a compromised connections. Lack of encrypted connections and poor authentication mechanisms  during the update process could advantage the attackers, sometimes even the updates are signed it is possible to abuse of digital signatures to submit malicious code.

Interesting the case provided by The Microgaming software that is currently available on various important and well known Skins such as the popular  Unibet and Ladbrokes Poker, the application in fact is a great example of how update process despite uses signature mechanism is vulnerable due the presence of a security flaw.

The vulnerability is related to way the software validate digital signature related to the updates, it is verified by the software using archived “digests” stored as a base64 string but the researchers discovered that  the function that decodes the password doesn’t make input validation on  the length of the output stack buffer resulting in a buffer-overflow that may be used to execute malicious code.

 microgaming

Playtech software and its iPoker network are other platforms widely used by many Skins such as Titan Poker and William Hill Poker. The software suffers injection attack as described in the paper:

“The software installation and the updates are handled all via HTTP, but the signatures of the signed EXEs and DLLs to install are verified. This is good only partially because all the other files (including HTML files) can be modified without any problems. For example to exploit security vulnerabilities in the software or redirecting the user on malicious websites. More interestingly is the presence of EXEs and DLLs that are not digitally signed located in the widgetbar folder. An attacker can use them to inject malicious code on the software. “

Another component exploitable to compromise client software is the installer, it is used to download modules from the Internet and this operation is considered high risk due to the possibility that attackers could hijack installable packages.

The critical vulnerabilities in On-Line gaming exploitable by attackers are related the authentication  process and also encrypting files.

The report states:

“All Poker software allows the password to be automatically saved on the player’s computer. Insecure implementation of this functionality may not be secure enough to prevent password leaking. The stored password is often just obfuscated or encrypted with fixed keys. Access to registry keys or the configuration file (even remote access is possible using directory traversal vulnerabilities in other software) allows attackers to steal stored passwords easily. It’s not easy to grant access to the network without effectively storing the password, but there are various levels of password security. “

From a security perspective it is very different obfuscate a password or encrypt it, use of asymmetric algorithms could grant a superior level of security, PokerStars company has adopted RSA tokens and PIN.

A weak password protection has been found in B3W, the password is stored in the%APPDATA%\SKIN_NAME\settings.inifile as last_password and is simply obfuscated, and the following algorithm can be used to read it:

len = hex2byte ( password ) ;
x = password [0];
for(i = 0; i < ( len – 1) ; i ++) { password [i] = password [ i + 1] ^ x ; x = password [i ] + i; }
password [i] = 0;

If you are interested in the details of investigation don’t miss the Revuln study and proof -of-concept video on the issues introduced.

On Line Poker Insecurity

Pierluigi Paganini

(Security Affairs – Security)



you might also like

leave a comment