lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041123185431.068a86f7.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Broadcast memory corruption in Soldier of Fortune II 1.03

#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://sof2.ravensoft.com
Versions:     <= 1.03 gold
Platforms:    Windows, Linux and MacOS
Bug:          memory corruption
Exploitation: remote, versus server and clients (broadcast)
Date:         23 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released at May 2002.


#######################################################################

======
2) Bug
======


The game is affected by a sprintf() overflow when handles a too big
valid query or reply (in case it acts as server or client), but doesn't
seem possible to execute remote code.

The effects on the server can be the immediate match interruption
(shutdown) caused by the overwriting of some game data or the crash
(that doesn't happen on the Linux dedicated server) depending by the
amount of data received from the attacker.

A worst effect instead happens on clients, in fact the type and the
location of the vulnerability lets a single attacker (visible in the
online master server list) to passively crash any client in the world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/sof2boom.zip


#######################################################################

======
4) Fix
======


No fix.
The developers have not replied to my mails, so I have created a
workaround (limiting from 1024 to 512 the amount of managed data) that
fixes both the client and server bug and can be applied to the Windows
version and to the Linux dedicated server:

  http://aluigi.altervista.org/patches/sof2-103-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ