lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040824193115.278f2a4e.aluigi@autistici.org>
Date: Tue, 24 Aug 2004 19:31:15 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com,
   full-disclosure@...ts.netsys.com
Subject: Limited buffer overflow in Painkiller 1.31



#######################################################################

                             Luigi Auriemma

Application:  Painkiller
              http://www.painkillergame.com
Versions:     <= 1.3.1
Platforms:    Windows
Bug:          memory corruption with limited code execution
Risk:         medium/high
Exploitation: remote, versus server
Date:         24 August 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Painkiller is a famous FPS game developed by People can Fly
(http://www.peoplecanfly.com) and released in April 2004.


#######################################################################

======
2) Bug
======


The handshake to join a Painkiller server is composed by 3 packets:
- a connection request from the client (ID 0x02)
- a challenge key from the server (ID 0x03) used for the calculation of
  both the Gamespy cd-key authorization string
  (http://aluigi.altervista.org/papers/gskey-auth.txt) and the password
  used to access protected game servers
- the client's packet used to join (ID 0x04) and containing its game
  version, the Gamespy cd-key auth string, the password (if needed) and
  some other informations

The problem is just in the password field (read by both protected and
non-protected game servers), in fact it is encoded using a specific
algorithm and the challenge string received from the server, but when
the server tries to "unscramble" a too long password (over 256 chars)
some important memory zones are overwritten.
The full optimized encoding/decoding algorithm is available here:
  http://aluigi.altervista.org/papers/painkiller_pckpwd.h

Due to the type of encoding algorithm and the type of bug seems not
possible to fully execute remote code (at least not easily) because the
return address can be overwritten only by the bytes allowed in an
intermediate step of the password decoding, so from 0x00 until 0x3f.
Is possible that exist other exploitation methods however I have found
only this one that has this limitation.


#######################################################################

===========
3) The Code
===========


  http://aluigi.altervista.org/poc/painkex.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have been contacted over one month ago but the patch (that
is ready) has not been released yet.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ