lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040325194443.10e49084.aluigi@altervista.org> From: aluigi at altervista.org (Luigi Auriemma) Subject: Remote crash in Etherlords I 1.07 and II 1.03 ####################################################################### Luigi Auriemma Application: - Etherlords I http://www.etherlords.com/etherlords1/ - Etherlords II http://www.etherlords.com Versions: Etherlords I <= 1.07 Etherlords II <= 1.03 Platforms: Windows Bug: reading of unallocated memory (crash) Risk: medium Exploitation: remote, versus server and client Date: 25 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@...ervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Etherlords is a 3D turn based game developed by Nival (http://www.nival.com). Etherlords I was released at November 2001 while the second game has been released at October 2003. ####################################################################### ====== 2) Bug ====== The packet signed by the number 3 is usually sent by the server to the client and contains a 16 bit value at offset 9 used to specify the size of the data block that follows it. If this number is too big the game will read also the unallocated memory after the packet and will crash immediately. The following memcpy() instruction comes from Etherlords II 1.03 and is exactly where the bug happens: :0076FD4B C1E902 shr ecx, 02 :0076FD4E F3A5 rep movsd :0076FD50 8BCA mov ecx, edx :0076FD52 83E103 and ecx, 003 :0076FD55 F3A4 rep movsb The nice thing is that the packet 3 can also be used versus the server that in fact will manage it just as the client does and will crash. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/ethboom.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from developers. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org
Powered by blists - more mailing lists