####################################################################### Tile: Master server disconnection: game servers can be removed from the online master server list using one spoofed packet 0.1 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Example ####################################################################### =============== 1) Introduction =============== I think anyone knows what are a game server (users), a master server (centralized), a servers list (the list of the master server containing all the IPs and ports of the online game servers) and a heartbeat (the packet needed to include a server in the list). But probably is less known the way used by the game servers to be removed from the list. Just like the heartbeat also this operation is "usually" made using one single UDP packet. I have highlighted "usually" because each game uses its heartbeat method depending by the master server it uses. Naturally if a master server lists over 700 games my "usually" becomes almost useless. In this little paper/advisory (I don't know how to define it) I take the Gamespy master server as example but the same informations can be applied to any other master server that works in the same way, that's why the title of this document is about generic master servers and not about the Gamespy one. In the case of Gamespy we have the master server that listens on port 27900 and accepts the heartbeat UDP packets like the following: \heartbeat\PORT\gamename\GAMENAME\statechanged\STATE where PORT is the server port, GAMENAME is the name of the game (like halor for Halo or bfvietnam for Battlefield Vietnam) and STATE is a number that says to the master server if the server wants to be listed, if has changed its configuration (like map, name and so on) or if has quit and wants to be removed from the master server list. The STATE we need to use (in this case) is the number 2, just like in this example: \heartbeat\2302\gamename\halor\statechanged\2 All we need to do is to send a spoofed UDP packet from the game server and its query port to the master server. The server is removed from the list almost immediately and in some games it could return online after some seconds, thing that can be avoided sending the same packet at regular times. I don't know if this can be defined a real security bug but for the moment is important to keep track of this (IMHO) very interesting thing. ####################################################################### ========== 2) Example ========== I have written a simple proof-of-concept for the Gamespy master server (so supports almost all the usual over 700 games) and the only thing it does is sending the spoofed packet after you have specified the server IP and port and the gamename (remember that gamename is ever visible when you query the server): http://aluigi.org/papers/gsmsdisc.zip Has also an option to send the same packet infinite times after a specific amount of seconds. I highly suggest to use Gslist to see when the server disappears from the online list and to verify if and when it returns visibile: http://aluigi.org/papers.htm#gslist #######################################################################