lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040318221748.0c8c562c.aluigi@altervista.org>
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Chrome 1.2.0.0 server crash

#######################################################################

                             Luigi Auriemma

Application:  Chrome
              http://www.chromethegame.com
Versions:     <= 1.2.0.0
Platforms:    Windows
Bug:          reading and writing into unallocated memory (crash)
Risk:         medium/high
Exploitation: remote, versus server
Date:         18 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chrome is a cool game developed by Techland (http://www.techland.pl)
and is a futuristic FPP (First Person Perspective) shooting game whose
takes action on a planet of another solar system called Valkyria.


#######################################################################

======
2) Bug
======


The problem is located in the following instructions:

  buff = malloc(value);
  memcpy(buff, packet + 8, value);

where "buff" is the new allocated buffer, "value" is a 32 bit number
located at offset 4 of the packet sent by the client and "packet" is
just this packet.
Now we have 2 interesting effects that have the same result (server's
crash):

- if "value" is too big the malloc() function will fail and there are
  no instructions to check it so the game will try to write into a bad
  memory zone (0x00000000)
- if "value" is big but is allocable, memcpy() will fail because the
  value is bigger than the packet so it will try to read from the
  unallocated memory after the data


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/chromeboom.zip


#######################################################################

======
4) Fix
======


No fix.
Developers talked about the patching of their online servers and about
an eventual patch for users within over 2 weeks ago, but nothing has
been released yet and there are no informations from them.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ