Tip

How a Blizzard DNS rebinding flaw put millions of gamers at risk

A Blizzard DNS rebinding flaw could have put users of its online PC games at risk of attack. Expert Michael Cobb explains how a DNS rebinding attack works and what to do about it.

The digital gaming industry is highly competitive, and interactive gaming is becoming a hugely popular sport. Revenue for the global gaming industry is estimated at over $100 billion, and professional electronic competitive gaming is soon expected to top $1 billion in revenue.

The makers of massively multiplayer online games are, therefore, always under intense pressure to launch their next release to keep their fans engaged and their software relevant. This fosters a development environment where new features tend to take priority over security, and when a vulnerability occurs in a common library or tool, the number of users affected can be enormous.

Renowned security researcher Tavis Ormandy of Google Project Zero published details of a flaw in Blizzard Entertainment Inc. games that theoretically puts millions of players' computers at risk, particularly as it is seen to be of relatively low complexity and, therefore, easy to exploit.

The security vulnerability is a domain name system (DNS) rebinding flaw that is contained in a shared utility tool called Blizzard Update Agent, and it is used within all of Blizzard's games, including World of Warcraft, Overwatch, Hearthstone and StarCraft. The Blizzard DNS rebinding flaw is only in the PC version of the company's games and is not used in the game console versions, so the actual number of gamers at risk is unknown, but it is in the tens, if not hundreds of millions.

How the Blizzard DNS rebinding flaw works

The Blizzard Update Agent runs a JSON-RPC server over HTTP on port 1120. JSON-RPC is a very simple, remote procedure call protocol encoded in JSON that enables data to be sent to the server, but that doesn't require a server response. The agent accepts maintenance-related commands, such as install, uninstall, change settings and update. However, it uses a custom authentication scheme to verify that the RPCs are from a legitimate source; that authentication scheme doesn't correctly validate which hostname the client is requesting.

A website running in a browser can normally make requests to, but not read the responses from, a hostname other than its own under the same-origin policy. The agent forces clients to make an initial request and sends back a secret token in the response. All subsequent requests must contain that token to prove that the client was able to read the initial authentication response and is, therefore, not a website running in a browser.

However, the agent fails to check where the origin requests are addressed to, so an attacker could set up a malicious website whose DNS records also map to the IP address 127.0.0.1, the loopback IP address -- also referred to as the localhost -- used to establish an IP connection to the same machine or computer being used by the end user. As the agent doesn't check the hostname, the client that was requesting it will respond to requests to the attacker's hostname, enabling the attacker to bind an attacker-controlled webpage containing malicious JavaScript code to the user's localhost. It is then possible to send malicious files or scripts that the agent will run thinking they are legitimate commands.

The Blizzard DNS Rebinding Testcase page provides a proof of concept of this attack. Ormandy also published a proof of concept for a similar type of attack against the Transmission BitTorrent client. Blizzard Update Agent version 2.13.8 fixed this problem by checking requests against a host header whitelist.

How something like the Blizzard DNS rebinding flaw happens

Software developers are familiar with software development frameworks like Scrum, sprint and Waterfall, but in big-budget games, there is also the crunch: a period of long working hours and increased pressure to meet deadlines and development milestones. This invariably leads to shortcuts and errors and bugs.

However, the industry modus operandi is still to launch a new version even if it has minor or even major flaws that affect its users' experience when playing the game. Ormandy points out that if these types of bugs make it through to the release version, and many are bugs that will directly impact a company's profits, then it's not surprising that security vulnerabilities are commonplace as well.

Any software development company must have robust code review and testing procedures in place that test security and usability prior to a new version being publicly released. They also need to have a documented bug response procedure to ensure the inevitable bug reports are handled quickly and efficiently.

Blizzard bungled the bug disclosure and mitigation process, which led Ormandy to publicly disclose the Blizzard DNS rebinding vulnerability before it had been truly patched. A bug bounty program can also help to discover and fix bugs before there is any widespread abuse.

Dig Deeper on Application and platform security