| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041123185431.068a86f7.aluigi@autistici.org>
Date: Tue, 23 Nov 2004 18:54:31 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com,
full-disclosure@...ts.netsys.com, vuln@...unia.com
Subject: Broadcast memory corruption in Soldier of Fortune II 1.03
#######################################################################
Luigi Auriemma
Application: Soldier of Fortune II
http://sof2.ravensoft.com
Versions: <= 1.03 gold
Platforms: Windows, Linux and MacOS
Bug: memory corruption
Exploitation: remote, versus server and clients (broadcast)
Date: 23 November 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released at May 2002.
#######################################################################
======
2) Bug
======
The game is affected by a sprintf() overflow when handles a too big
valid query or reply (in case it acts as server or client), but doesn't
seem possible to execute remote code.
The effects on the server can be the immediate match interruption
(shutdown) caused by the overwriting of some game data or the crash
(that doesn't happen on the Linux dedicated server) depending by the
amount of data received from the attacker.
A worst effect instead happens on clients, in fact the type and the
location of the vulnerability lets a single attacker (visible in the
online master server list) to passively crash any client in the world.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/sof2boom.zip
#######################################################################
======
4) Fix
======
No fix.
The developers have not replied to my mails, so I have created a
workaround (limiting from 1024 to 512 the amount of managed data) that
fixes both the client and server bug and can be applied to the Windows
version and to the Linux dedicated server:
http://aluigi.altervista.org/patches/sof2-103-fix.zip
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists