lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050106184524.40026fbd.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Socket unreacheable in Amp II engine


#######################################################################

                             Luigi Auriemma

Application:  Amp II 3D engine
              http://www.4drulers.com/amp.html
Versions:     any version since there is no patch available
Games:        Gore: Ultimate Soldier <= 1.50
              ... possibly others ...
Platforms:    Windows
Bug:          socket unreacheable
Exploitation: remote, versus server
Date:         06 Jan 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Amp II engine is a game engine developed by 4d Rules
(http://www.4drulers.com) and Slam Software
(http://www.slamsoftware.com).
The only game released using this engine seems to be Gore
(http://www.4drulers.com/gore/) dated June 2002.


#######################################################################

======
2) Bug
======


The code used by the engine to handle UDP packets is similar to the
following:

  if(select(sock, &read_set, NULL, NULL, &timeout_zero)
    < 0) socket_error();
  ...
  if(ioctlsocket(sock, FIONREAD, &packet_length)
    < 0) socket_error();
  if(packet_length) {
    // read socket data
  }

The problem is just in the if(packet_length) check (meaning "if
packet_length is different than zero") because FIONREAD is used to
retrieve the size of the first packet in the socket's queue so if an
attacker sends an UDP packet of zero bytes to the server, packet_length
will continue to be equal to zero and the if(packet_length) check will
be messed entering in an infinite loop that will handle ever the same
empty UDP packet but without reading its content and freeing the
socket's queue.

In short, an UDP packet of zero bytes is able to silently interrupt the
match on the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/amp2zero.zip


#######################################################################

======
4) Fix
======


The Amp II engine is no longer supported and probably will be released
a patch for Gore in future.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ