lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041008191120.0f983e81.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Limited \secure\ buffer-overflow in some old Monolith games

#######################################################################

                             Luigi Auriemma

Applications: Some old games developed by Monolith
              http://www.lith.com
Versions:     - Alien versus Predator 2                      <= 1.0.9.6
              - Blood 2                                      <= 2.1
              - No one lives forever                         <= 1.004
              - Shogo                                        <= 2.2
Platforms:    Windows
Bug:          limited buffer overflow
Exploitation: remote, versus server
Date:         08 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.


#######################################################################

======
2) Bug
======


The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.

The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/lithsec.zip


#######################################################################

======
4) Fix
======


No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.

Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:

 Alien versus Predator 2   1.0.9.6
    http://aluigi.altervista.org/patches/avp2-1096-fix.zip

 Blood 2                   2.1
    http://aluigi.altervista.org/patches/blood2-21-fix.zip

 No one lives forever      1.004
    http://aluigi.altervista.org/patches/nolf1004-fix.zip

 Shogo                     2.2
    http://aluigi.altervista.org/patches/shogo22-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ