[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040216143151.6c619bf5.aluigi@altervista.org>
Date: Mon, 16 Feb 2004 14:31:51 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Broadcast client buffer-overflow in Purge Jihad <= 2.0.1
#######################################################################
Luigi Auriemma
Applications: Purge and Purge Jihad
http://www.purgeonline.net
Versions: Purge <= 1.4.7
Purge Jihad <= 2.0.1
Platforms: Windows
Bug: broadcast client's buffer overflow
Risk: highly critical
Exploitation: remote, versus clients (broadcast)
Date: 16 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Purge Jihad is a game developed by Freeform Interactive using the
Lithtech Talon graphic engine:
"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the
near future accounting a war between the diametrically opposed forces
of science-fiction (the Order) and fantasy (the Chosen)"
#######################################################################
======
2) Bug
======
The bug is a "broadcast" buffer-overflow affecting clients.
In fact each client that enters in the multiplayer screen automatically
contacts the master server and then sends a query to each available
online game server to know informations about the current match running
on it.
The attacker'server must simply reply to clients'requests with an
information packet containing 2 big fields: battle type and map name.
These fields in fact are managed by a vulnerable function that copies
the provided strings in a 64 bytes buffer not able to contain the
maximum size of 256 bytes of each field.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/purge-cbof.zip
#######################################################################
======
4) Fix
======
Purge Jihad 2.0.2
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists