[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041008191120.0f983e81.aluigi@autistici.org>
Date: Fri, 8 Oct 2004 19:11:20 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.netsys.com,
vuln@...unia.com
Subject: Limited \secure\ buffer-overflow in some old Monolith games
#######################################################################
Luigi Auriemma
Applications: Some old games developed by Monolith
http://www.lith.com
Versions: - Alien versus Predator 2 <= 1.0.9.6
- Blood 2 <= 2.1
- No one lives forever <= 1.004
- Shogo <= 2.2
Platforms: Windows
Bug: limited buffer overflow
Exploitation: remote, versus server
Date: 08 October 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.
#######################################################################
======
2) Bug
======
The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.
The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/lithsec.zip
#######################################################################
======
4) Fix
======
No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.
Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:
Alien versus Predator 2 1.0.9.6
http://aluigi.altervista.org/patches/avp2-1096-fix.zip
Blood 2 2.1
http://aluigi.altervista.org/patches/blood2-21-fix.zip
No one lives forever 1.004
http://aluigi.altervista.org/patches/nolf1004-fix.zip
Shogo 2.2
http://aluigi.altervista.org/patches/shogo22-fix.zip
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists