lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040319153558.6f3ad085.aluigi@altervista.org>
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Broadcast client buffer-overflow in Terminator 3 1.0

#######################################################################

                             Luigi Auriemma

Application:  Terminator 3: War of the Machines
              http://www.t3war.com
Versions:     1.0
Platforms:    Windows
Bug:          broadcast client's buffer-overflow
Risk:         very high
Exploitation: remote and automatic, versus clients
Date:         19 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Terminator 3: War of the Machines" is a multiplayer FPS game developed
by Clevers (http://www.clevers.com) and based on the homonym Swarzy's
movie.


#######################################################################

======
2) Bug
======


The bug is a broadcast buffer-overflow affecting clients.
Everytime a user enters in the multiplayer menu, the game contacts the
master server and then each online server automatically.
The bug happens during the usage of some vulnerable instructions that
are exactly the following:

    char ServerInfoTemp[200];
    ...
    for (int i = 0; i < strlen(ServerInfo); i++) {
        ServerInfoTemp[i] = toupper(ServerInfo[i]);
    }

They get a string (ServerInfo) previously generated with the server's
IP and port and all the values in its reply, after which they put this
string into a new smaller buffer (ServerInfoTemp) converting the chars
to upper case.

The effects of this bug are the usual 2 known problems:

- automatic buffer-overflow (here with the upper-case limitation)
- network Denial of service, nobody can use the game online

For who wanna see the problem at runtime, the vulnerable instructions
in the executable of the pre-release demo are the loop between 004953d4
and 004953fe.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/t3cbof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers promised a patch a lot of times (for 3 months) but it has
not been released yet.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists