lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041124191522.39f569b7.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Limited buffer-overflow and arbitrary memory access in Star Wars
 Battlefront 1.11

#######################################################################

                             Luigi Auriemma

Application:  Star Wars Battlefront
              http://www.lucasarts.com/games/swbattlefront/
Versions:     <= 1.11
Platforms:    Windows
              Xbox and Playstation 2 have not been tested
Bugs:         A] limited buffer-overflow in nickname
              B] crash caused by arbitrary memory access
Exploitation: remote, versus server (in-game)
Date:         24 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Star Wars Battlefront is the newest game based on the universe of Star
Wars, is developed by Pandemic Studios (http://www.pandemicstudios.com)
and has been released at September 2004.

This game is available also for Xbox and Playstation 2. The dedicated
server for Playstation 2 runs on Windows and uses the same join
protocol of the PC version, in fact I have tested it and is vulnerable.
Since I'm not able to directly test also these 2 platforms I cannot
confirm if they are vulnerables or not.


#######################################################################

=======
2) Bugs
=======

--------------------------------------
A] limited buffer-overflow in nickname
--------------------------------------

If a client uses a too big nickname causes a limited buffer-overflow in
the server. "Limited" because doesn't seem possible to overwrite
important memory zones and, so, to execute remote code.


------------------------------------------
B] crash caused by arbitrary memory access
------------------------------------------

Exists a strange field in the join request used by this game.
This field is a 32 bits value that must contain a memory offset used to
build the following debug message:

 "player %s had crash at 0x%x\n"

where %s is just the memory address specified by the client.
The effect, naturally, is that an attacker can force the server to
read an unreacheable memory location causing its immediate crash.
I have no idea about why has been used a so stupid and dangerous
method.
Note: this bug doesn't seem to affect the Playstation 2 dedicatd
server.


Both these bugs must be considered in-game bugs (traduced: if the
server is protected with a password, the attacker must know it), simply
because the password field (a 32 bits checksum) is controlled before
the other informations so the packet is rejected if the password
provided by the attacker is wrong.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/fakep/swbfp.zip


A] swbfp -s 100 localhost

sends a nickname of 100 chars to the server


B] swbfp -m 1234 localhost

forces the server to read the data at offset 1234 (0x000004d2)


#######################################################################

======
4) Fix
======


No fix.
My first mail is dated 26 Oct 2004, the developers said to work on the
fixing of the bugs but after all this time and after the release of 2
normal patches (so, not for these bugs) the situation is unknown...
useless to ask the status of the patch to Pandemic, my latest two
"keep-alive" mails have been completely ignored.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ