Background: "Heroes of Newerth (commonly known as HoN) is a free-to-play science fantasy, action real-time strategy game. The game is developed by S2 Games for Microsoft Windows, Mac OS X and Linux." - Wikipedia.org
Vulnerability: Heroes of Newerth creates a file called login.cfg, where login information is stored. This includes, if the option of Auto Auth is checked, the MD5 hash of the user's password.
The vulnerability arises when a user saves their password on Mac or Linux, because login.cfg is created with world-readable permissions, allowing other users on the system to access the user's account information, impersonate the user by logging in with their encrypted password, or crack their password hash and recover their plaintext password.
Proof of concept:
Linux: -rw-r--r-- 1 user group 334 2011-09-10 00:23 /home/user/.Heroes of Newerth/game/login.cfg
Mac: -rw-r--r-- 1 user group 334 Sep 9 21:46 /Users/User/Library/Application Support/Heroes of Newerth/game/login.cfg
Note: Windows was tested but not found vulnerable to this flaw. On Windows, the MD5 hash is stored at the following location:
C:\Users\%USERNAME%\Documents\Heroes of Newerth\game\login.cfg.
Any other user on the system can simple view the file with a text editor, save it, and impersonate the user in Heroes of Newerth.
Alternatively, if you forgot your password and don't want to reset it, you can simply copy the MD5 hash to login.cfg in the proper format and use it to log in with Auto Auth turned on in the game settings.
Remediation: chmod 600 /path/to/login.cfg - Makes file read/writable by only your account.
Thanks to @jakl, who co-discovered this vulnerability, and EvilPenguins for testing on Mac.
No comments:
Post a Comment