---------------------------------------------------------------------- Want a new IT Security job? Vacant positions at Secunia: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: GameSpy CD-Key Validation Toolkit Key Denial of Service SECUNIA ADVISORY ID: SA15254 VERIFY ADVISORY: http://secunia.com/advisories/15254/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From remote SOFTWARE: GameSpy SDK CD-Key Validation Toolkit http://secunia.com/product/4374/ DESCRIPTION: Luigi Auriemma has reported a vulnerability in GameSpy SDK CD-Key Validation Toolkit, which can be exploited by malicious people to prevent users from accessing game servers. The vulnerability is caused due to a design error and can be exploited by a malicious game server by either not informing a GameSpy master server when a user leaves, or replay certain CD-key validation packets to a GameSpy master server. Both attack vectors will cause a particular CD-key to be marked as being in use. Successful exploitation prevent players with valid CD-keys from playing online, but requires that a user has connected to a malicious game server. A design error in the GameSpy CD-Key validation process has also been reported. This can be exploited by malicious people to bypass the CD-Key validation process and play with a CD-Key already in use. SOLUTION: Connect to trusted game servers only. The second design error will reportedly be fixed on the master servers. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/gskeyinuse-adv.txt http://aluigi.altervista.org/adv/gskeydisc-adv.txt OTHER REFERENCES: List of games using the In-Game GameSpy.net Toolkits and/or GameSpy Arcade: http://www.gamespy.net/partners/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------