[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070823011328.290c84fa.aluigi@autistici.org>
Date: Thu, 23 Aug 2007 01:13:28 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Buffer-overflow in the Asura engine
#######################################################################
Luigi Auriemma
Application: Asura engine (network SDK)
http://www.rebellion.co.uk
Games: Rogue Trooper <= 1.0
Prism: Guard Shield <= 1.1.1.0
...possibly others...
Platforms: Windows
Bug: challenge buffer-overflow
Exploitation: remote, versus server (in-game)
Date: 22 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Asura is a game engine written by Rebellion and used in their games.
Rogue Trooper and Prism are the only two games (as far as I know) which
use the new network protocol which leads to the vulnerability reported
in this advisory, the older games were based on DirectPlay (Judge
Dredd) and Gamespy SDK (Sniper Elite).
#######################################################################
======
2) Bug
======
A buffer-overflow vulnerability is located in the function which
handles the 0xf007 packet used for the challenge B query.
In this function the data passed by the client is copied (without
checks on its length) to a stack buffer of 256 bytes used for sending
the data back to the client, something similar to a ping.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/asurabof.zip
#######################################################################
======
4) Fix
======
No fix.
Rebellion is one of those vendors which have never replied to my past
mails.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Powered by blists - more mailing lists