lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Jan 2005 18:45:24 +0000 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.netsys.com, vuln@...unia.com Subject: Socket unreacheable in Amp II engine ####################################################################### Luigi Auriemma Application: Amp II 3D engine http://www.4drulers.com/amp.html Versions: any version since there is no patch available Games: Gore: Ultimate Soldier <= 1.50 ... possibly others ... Platforms: Windows Bug: socket unreacheable Exploitation: remote, versus server Date: 06 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Amp II engine is a game engine developed by 4d Rules (http://www.4drulers.com) and Slam Software (http://www.slamsoftware.com). The only game released using this engine seems to be Gore (http://www.4drulers.com/gore/) dated June 2002. ####################################################################### ====== 2) Bug ====== The code used by the engine to handle UDP packets is similar to the following: if(select(sock, &read_set, NULL, NULL, &timeout_zero) < 0) socket_error(); ... if(ioctlsocket(sock, FIONREAD, &packet_length) < 0) socket_error(); if(packet_length) { // read socket data } The problem is just in the if(packet_length) check (meaning "if packet_length is different than zero") because FIONREAD is used to retrieve the size of the first packet in the socket's queue so if an attacker sends an UDP packet of zero bytes to the server, packet_length will continue to be equal to zero and the if(packet_length) check will be messed entering in an infinite loop that will handle ever the same empty UDP packet but without reading its content and freeing the socket's queue. In short, an UDP packet of zero bytes is able to silently interrupt the match on the server. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/amp2zero.zip ####################################################################### ====== 4) Fix ====== The Amp II engine is no longer supported and probably will be released a patch for Gore in future. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org
Powered by blists - more mailing lists