Dark Age of Camelot Security Advisory

According to the Bugtraq mailing list, the Dark Age of Camelot login client has potentially dangerous flaws. Apparently, using the exploit, a hacker can pretend to be a DAoC account server in order to trick a client into sending billing info. As a precautionary measure, we recommend reading the official advisory here, and the full details of the potential exploit here. Quoted:
Dark Age of Camelot (DAoC) is a fantasy based Massively Multiplayer Online Role Playing Game (MMORPG) developed by Mythic Entertainment (http://www.mythicentertainment.com/). For more background information on the product and for previous security issues, please refer to advisory issues last December at http://capnbry.net/daoc/advisory.html.

The current security scheme of the Dark Age of Camelot login involves the use of RSA public key cryptography and an RC4 based symmetric algorithm. The weakness of their approach is that the RSA public key is transmitted at the start of each session and is not digitally signed or verified to insure the integrity of the connection or data.

With the release of the version 1.68 patch to the DAoC test server (Pendragon), Mythic upgraded the game client (game.dll) to use the security changes made to the login protocol. One side-effect of this change was to focus more eyes on the protocol. While monitoring the discussion on various forums dedicated to DAoC utilities and emulators, it became apparent that people understood how to attack the security.

Seeing the imminent release of code for cracking the game client (which would then expose the login client), an e-mail was sent to multiple contacts at Mythic on February 18th to describe the flaws of the protocol. Specifically, we described how billing information was exposed and repeated our suggestion about going to a SSL/TLS based solution handling account information. This approach seems practical in light of the fact that the European provider of DAoC, GOA, uses web pages served over HTTPS to secure account updates.

We have received no acknowledgment of the e-mail from anyone at Mythic. After one month had passed, we begin to prepare a formal public advisory and noticed that the login client had been silently patched (i.e. no mention in any public patch notes). The current version of the login client is no longer vulnerable to this billing information exploit. The solution implemented by Mythic was to embed a fixed public key into the login.dll to use for the encryption of billing data. The per session public key is still used for protecting the symmetric key.