[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050106184524.40026fbd.aluigi@autistici.org>
Date: Thu, 6 Jan 2005 18:45:24 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.netsys.com,
vuln@...unia.com
Subject: Socket unreacheable in Amp II engine
#######################################################################
Luigi Auriemma
Application: Amp II 3D engine
http://www.4drulers.com/amp.html
Versions: any version since there is no patch available
Games: Gore: Ultimate Soldier <= 1.50
... possibly others ...
Platforms: Windows
Bug: socket unreacheable
Exploitation: remote, versus server
Date: 06 Jan 2005
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Amp II engine is a game engine developed by 4d Rules
(http://www.4drulers.com) and Slam Software
(http://www.slamsoftware.com).
The only game released using this engine seems to be Gore
(http://www.4drulers.com/gore/) dated June 2002.
#######################################################################
======
2) Bug
======
The code used by the engine to handle UDP packets is similar to the
following:
if(select(sock, &read_set, NULL, NULL, &timeout_zero)
< 0) socket_error();
...
if(ioctlsocket(sock, FIONREAD, &packet_length)
< 0) socket_error();
if(packet_length) {
// read socket data
}
The problem is just in the if(packet_length) check (meaning "if
packet_length is different than zero") because FIONREAD is used to
retrieve the size of the first packet in the socket's queue so if an
attacker sends an UDP packet of zero bytes to the server, packet_length
will continue to be equal to zero and the if(packet_length) check will
be messed entering in an infinite loop that will handle ever the same
empty UDP packet but without reading its content and freeing the
socket's queue.
In short, an UDP packet of zero bytes is able to silently interrupt the
match on the server.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/amp2zero.zip
#######################################################################
======
4) Fix
======
The Amp II engine is no longer supported and probably will be released
a patch for Gore in future.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists