lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040325194443.10e49084.aluigi@altervista.org>
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Remote crash in Etherlords I 1.07 and II 1.03

#######################################################################

                             Luigi Auriemma

Application:  - Etherlords I
                http://www.etherlords.com/etherlords1/
              - Etherlords II
                http://www.etherlords.com
Versions:     Etherlords I   <= 1.07
              Etherlords II  <= 1.03
Platforms:    Windows
Bug:          reading of unallocated memory (crash)
Risk:         medium
Exploitation: remote, versus server and client
Date:         25 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Etherlords is a 3D turn based game developed by Nival
(http://www.nival.com).
Etherlords I was released at November 2001 while the second game has
been released at October 2003.


#######################################################################

======
2) Bug
======


The packet signed by the number 3 is usually sent by the server to the
client and contains a 16 bit value at offset 9 used to specify the size
of the data block that follows it.

If this number is too big the game will read also the unallocated
memory after the packet and will crash immediately.

The following memcpy() instruction comes from Etherlords II 1.03 and
is exactly where the bug happens:

:0076FD4B C1E902                  shr ecx, 02
:0076FD4E F3A5                    rep movsd
:0076FD50 8BCA                    mov ecx, edx
:0076FD52 83E103                  and ecx, 003
:0076FD55 F3A4                    rep movsb

The nice thing is that the packet 3 can also be used versus the server
that in fact will manage it just as the client does and will crash.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/ethboom.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists