Categories: HackingSecurity

You play I hack you … ReVuln online poker security

One of the most interesting company in security landscape is ReVuln, its researchers specialize in the security assessment and are the authors or various interesting studies on large scale applications and SCADA systems, few weeks ago I presented their work on vulnerability assessment on Gaming platforms.

This time I desire to present another excellent analysis of the security experts at ReVuln that provided a cursory overview of iGaming, and Client Poker Software security, the study revealed some security vulnerabilities and design issues affecting some of the most widely platforms provided by different companies in various countries.

The paper produced examined security of a set of online poker solutions, highlighting the current status of the florid gaming sector, Online Gaming (also known as Online Gambling and iGaming) is one of most remunerative market, in particular  Online Poker conveys around 30 billion US dollar attracting millions of players worldwide.

The security of the Online Gaming Sector is crucial and gaming authorities were following objectives:

  • Protecting players’ rights
  • Promoting responsible gaming
  • Monitoring licensed companies
  • Deciding the minimal level of security that must be adopted
  • Collecting taxes on behalf of the governments

That could be reached only if security of any component of the platforms is ensured.

The first consideration that must be done is that gaming platforms are composed of various components such as client and server side software, network infrastructure and games applications for online casino, in many cases this technology is provided by different providers with obvious repercussion on overall security.

The software component assumes a central role in gaming platforms, the researchers highlighted that main difference between online poker and the rest of the iGaming products is that first group relies on client-side software which runs directly on the player’s computer.

Client software has to manage real time data providing to the gamer a friendly environments fully customizable and multi-platform, from the attacker’s perspective they could represent the access doors to the entire infrastructure.

The ReVuln researchers identified the surface of attack of client components, software updates are considered a very important aspects for gaming software, this software evolve continuously in their life cycle that’s why auto-update feature is crucial. But update mechanisms could also be exploited by attackers, in the initialization phase the software usually are executed the necessary operations to update the software, in this moment attackers can inject malicious code on the player’s system.

The client software developed by B3W is used in many Skins, such as Yachting Poker and PKRaise, but update mechanism is performed over an insecure HTTP connection to b3w.fileburstcdn.net where the list of updates and the files are stored without signatures and the EXEs (which are digitally signed) are not verified before their execution. In this situation at least three types of issues were identified:

  • Injecting of malicious EXEs, which are executed immediately by the software for auto-updating itself:

“c:\path\tmp_executable.exe” “c:\path\executable.exe” update

  • Directory traversal that allows any files where the software is installed to be created or overwritten.
  • Stack based buffer-overflow while copying the newly generated update link containing the filename provided by the attacker:
_mbscpy (stack_buffer ,
“http://b3w.fileburstcdn.net:80/updates_SKIN/aaa…aaa”);

The attackers could benefit of various technologies and scenarios, injection could be conducted by malware that infected victims or could be caused by the use   of unsecure communication channels such as a public connection or a compromised connections. Lack of encrypted connections and poor authentication mechanisms  during the update process could advantage the attackers, sometimes even the updates are signed it is possible to abuse of digital signatures to submit malicious code.

Interesting the case provided by The Microgaming software that is currently available on various important and well known Skins such as the popular  Unibet and Ladbrokes Poker, the application in fact is a great example of how update process despite uses signature mechanism is vulnerable due the presence of a security flaw.

The vulnerability is related to way the software validate digital signature related to the updates, it is verified by the software using archived “digests” stored as a base64 string but the researchers discovered that  the function that decodes the password doesn’t make input validation on  the length of the output stack buffer resulting in a buffer-overflow that may be used to execute malicious code.

 

Playtech software and its iPoker network are other platforms widely used by many Skins such as Titan Poker and William Hill Poker. The software suffers injection attack as described in the paper:

“The software installation and the updates are handled all via HTTP, but the signatures of the signed EXEs and DLLs to install are verified. This is good only partially because all the other files (including HTML files) can be modified without any problems. For example to exploit security vulnerabilities in the software or redirecting the user on malicious websites. More interestingly is the presence of EXEs and DLLs that are not digitally signed located in the widgetbar folder. An attacker can use them to inject malicious code on the software. “

Another component exploitable to compromise client software is the installer, it is used to download modules from the Internet and this operation is considered high risk due to the possibility that attackers could hijack installable packages.

The critical vulnerabilities in On-Line gaming exploitable by attackers are related the authentication  process and also encrypting files.

The report states:

“All Poker software allows the password to be automatically saved on the player’s computer. Insecure implementation of this functionality may not be secure enough to prevent password leaking. The stored password is often just obfuscated or encrypted with fixed keys. Access to registry keys or the configuration file (even remote access is possible using directory traversal vulnerabilities in other software) allows attackers to steal stored passwords easily. It’s not easy to grant access to the network without effectively storing the password, but there are various levels of password security. “

From a security perspective it is very different obfuscate a password or encrypt it, use of asymmetric algorithms could grant a superior level of security, PokerStars company has adopted RSA tokens and PIN.

A weak password protection has been found in B3W, the password is stored in the%APPDATA%\SKIN_NAME\settings.inifile as last_password and is simply obfuscated, and the following algorithm can be used to read it:

len = hex2byte ( password ) ;
x = password [0];
for(i = 0; i < ( len – 1) ; i ++) { password [i] = password [ i + 1] ^ x ; x = password [i ] + i; }
password [i] = 0;

If you are interested in the details of investigation don’t miss the Revuln study and proof -of-concept video on the issues introduced.

Pierluigi Paganini

(Security Affairs – Security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.