mailing list archives
SECOBJADV-2008-03: PartyGaming PartyPoker Malicious Update Vulnerability
From: advisories () host security-objectives com
Date: 14 Aug 2008 07:09:34 -0000
= Security Objectives Advisory (SECOBJADV-2008-03) =
PartyGaming PartyPoker Malicious Update Vulnerability
AFFECTED: PartyPoker Client (Build Number 121/120, Build Date Mar 18 2008)
Other versions may also be affected
PLATFORM: Intel / Windows
CLASSIFICATION: Origin Validation Error (CWE-346)
RESEARCHER: Derek Callaway
IMPACT: Client-side code execution
PartyPoker.com (www.PartyPoker.com) is the world's largest online poker brand
in terms of number of players and revenues. You'll find a great variety of
poker games and tournaments, plus blackjack.
The PartyGaming PartyPoker client program can be forced into downloading a
malicious update. This is a result of the PartyPoker client not properly
confirming the authenticity of the network update server or the
executable update files themselves. When downloading an update, first
the client program resolves the DNS address of the update host. Next, it
establishes a TCP connection on port 80 of the previously resolved IP
address. Then, it sends an HTTP request for an EXE file under the web
server's Downloads directory. Upon receiving the HTTP response, the
requested portable executable is written to disk and executed.
To successfully exploit this vulnerability an attacker must be able to
somehow position themself such that they can impersonate the update server.
This can be accomplished through DNS cache poisoning, ARP redirection,
TCP hijacking, impersonation of a Wi-Fi Access Point, etc. The attacker
also would have configured a rogue web server to push out update code of
Before PartyPoker downloads the update it communicates with another
PartyGaming server in the 126.96.36.199/24 subnetwork via SSL to determine
if a new client update is available; if so, a HTTP GET request is sent
to www1.partypoker.com for an EXE file in the /Downloads/en/vcc
directory and is stored on the local filesystem under
C:\Programs\PartyGaming\tmpUpgrade and executed. Afterwards, the user
may login and operate the PartyPoker client as usual.
Since the update itself is downloaded from a seperate server, the client
can contact the legitimate PartyGaming server during exploitation to
determine if an update is available as normal. The attacker only needs
to masquerade as www1.partypoker.com.
Do not use the PartyPoker client program.
The vendor was contacted initially and fully aware of the vulnerability.
However, after unsuccessfully attempting to reestablish dialogue multiple times
with limited responsiveness over a period of several months, Security
Objectives proceeded with the advisory.
20-Feb-2008 Discovery of Vulnerability
22-Feb-2008 Developed Proof-of-Concept
25-Feb-2008 Reported to Vendor
15-Aug-2008 Published Advisory
ABOUT SECURITY OBJECTIVES
Security Objectives is a security centric consultancy and software development
corporation which operates in the area of application assurance software.
Security Objectives employs methods that are centered on software
comprehension, therefore a more in-depth contextual understanding of the
application is developed.
Permission is granted for electronic distribution of this advisory.
It may not be edited without the written consent of Security Objectives.
The information contained in this advisory is believed to be accurate based on
currently available information and is provided "as is" without warranty of
any kind, either expressed or implied, including, but not limited to, the
implied warranties of merchantability and fitness for a particular purpose.
The entire risk as to the quality and performance of the information is with
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- SECOBJADV-2008-03: PartyGaming PartyPoker Malicious Update Vulnerability advisories (Aug 14)