######################################################################## Title: Short explanation of the "broadcast client" term I use to identify some games vulnerabilities Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ######################################################################## What I define as "broadcast client" bug in games is something of very simple. The multiplayer architecture used by any online games is constituited by the following "characters": - a central server called master server: it sends the list of current online servers to any client that requests it and at the same time lets servers to be included in this list - servers: just the game servers launched by players (admins). When a server wants to be included in the master server's list must simply send a heartbeat packet to it (each game uses a different method, but Gamespy has simplified a lot this work) - clients: the players who wanna play online and must join the servers When players want to play online, their clients first contact the master server to get the list of online servers and then "automatically" (yes, this is the main problem) request informations to each server contained in the list. If clients are vulnerable to a bug that happens when they receive a malformed information server reply, I consider this bug as a "broadcast client" bug because a single malicious server can passively exploit ANY client in the world without any effort, in fact clients will automatically contact it. I want to highlight that only the bugs located in the management of the servers replies to the automatic information queries of the clients can be included in this category. Due to this architecture, also a stupid client's crash bug that normally has no risk becomes serious because no clients will be able to play online... and without clients don't exist online gaming. If you have doubt about how a server can be included in the master server's list, don't worry, there are some ways like the full heartbeat emulation (usually very simple) or is possible to launch a real server and then launching the specific exploit to bind the currently used port or other ways depending by the type of game and the lazyness of the attacker. Also servers however aren't too lucky because, if they are affected by a bug, an attacker can retrieve the full servers list from the master server and start to sequentially exploit any listed host. However for major comprehension I prefer to not add the term "broadcast" to server bugs. Probably "broadcast" is not a too much exact term and "passive" is better but doesn't illustrate the big power of this category of games vulnerabilities. Oh, and don't underrate games. They are the most used software of the world, require tons of time and skill to be developed and are the past, the present and the future of the entertainment. So free your mind from any prejudice, games are not (only) for kids!!! ########################################################################