lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040203212251.14a85aab.aluigi@altervista.org>
Date: Tue, 3 Feb 2004 21:22:51 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Remote crash of Chaser game <= 1.50



#######################################################################

                             Luigi Auriemma

Application:  Chaser
              http://www.chasergame.com
Versions:     <= 1.50
Platforms:    Windows
Bug:          crash (reading of unallocated memory)
Risk:         high
Exploitation: remote, both server and client are vulnerables
Date:         03 Feb 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.


#######################################################################

======
2) Bug
======


The structure of a Chaser packet is like the following:

00 00 00 00 00 ff 00 00
   |              |
   |              size of the data starting at offset 14
   16 bit checksum
   http://aluigi.altervista.org/papers/chaser_crc.h

The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:

:0050C89F F3A5                    rep movsd


#######################################################################

===========
3) The Code
===========


To test the Chaser server:

http://aluigi.altervista.org/poc/chasercrash.zip

The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:

http://aluigi.altervista.org/poc/chaser-client.zip


#######################################################################

======
4) Fix
======


No fix.
Cauldron has not replied to my mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ