Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Remote crash of Chaser game <= 1.50

From: Luigi Auriemma <aluigi () altervista org>
Date: Tue, 3 Feb 2004 21:22:51 +0000

#######################################################################

                             Luigi Auriemma

Application:  Chaser
              http://www.chasergame.com
Versions:     <= 1.50
Platforms:    Windows
Bug:          crash (reading of unallocated memory)
Risk:         high
Exploitation: remote, both server and client are vulnerables
Date:         03 Feb 2004
Author:       Luigi Auriemma
              e-mail: aluigi () altervista org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.


#######################################################################

======
2) Bug
======


The structure of a Chaser packet is like the following:

00 00 00 00 00 ff 00 00
   |              |
   |              size of the data starting at offset 14
   16 bit checksum
   http://aluigi.altervista.org/papers/chaser_crc.h

The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:

:0050C89F F3A5                    rep movsd


#######################################################################

===========
3) The Code
===========


To test the Chaser server:

http://aluigi.altervista.org/poc/chasercrash.zip

The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:

http://aluigi.altervista.org/poc/chaser-client.zip


#######################################################################

======
4) Fix
======


No fix.
Cauldron has not replied to my mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
Previous By Date Next
Previous By Thread Next

Current thread: