lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20071009223156.61d11777.aluigi@autistici.org>
Date: Tue, 9 Oct 2007 22:31:56 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: NULL pointer crash in World in Conflict 1.000


#######################################################################

                             Luigi Auriemma

Application:  World in Conflict
              http://www.worldinconflict.com
Versions:     <= 1.000
Platforms:    Windows
Bug:          access to NULL pointer
Exploitation: remote, versus server
Date:         09 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


World in conflict is a RTS game developed by Massive Entertainment
(http://www.massive.se) and released about a month ago.


#######################################################################

======
2) Bug
======


The server is vulneable to a Denial of Service attack (crash) caused by
the access to a NULL pointer.
The problem happens in the GetMagicNumberString function which takes
the third byte of the data received from the client on the VOIP port
52999 and returns a text string if this value is valid ("ABC" for type
0, "DEF" for 1, "GHI" for 2 and so on) or NULL if it's invalid.
Then the string returned by this function is compared with another one
and here happens the NULL pointer access.


#######################################################################

===========
3) The Code
===========


Connect to the VOIP port of the server (default 52999) with telnet or
netcat and type something like aaaaaaa.
The server will crash immediately.


#######################################################################

======
4) Fix
======


Patch v1.001 (aka Update #001)


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ