Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Broadcast memory corruption in Soldier of Fortune II 1

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-Disclosure] Broadcast memory corruption in Soldier of Fortune II 1.03
Date: Tue, 23 Nov 2004 18:54:31 +0000 

#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://sof2.ravensoft.com
Versions:     <= 1.03 gold
Platforms:    Windows, Linux and MacOS
Bug:          memory corruption
Exploitation: remote, versus server and clients (broadcast)
Date:         23 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released at May 2002.


#######################################################################

======
2) Bug
======


The game is affected by a sprintf() overflow when handles a too big
valid query or reply (in case it acts as server or client), but doesn't
seem possible to execute remote code.

The effects on the server can be the immediate match interruption
(shutdown) caused by the overwriting of some game data or the crash
(that doesn't happen on the Linux dedicated server) depending by the
amount of data received from the attacker.

A worst effect instead happens on clients, in fact the type and the
location of the vulnerability lets a single attacker (visible in the
online master server list) to passively crash any client in the world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/sof2boom.zip


#######################################################################

======
4) Fix
======


No fix.
The developers have not replied to my mails, so I have created a
workaround (limiting from 1024 to 512 the amount of managed data) that
fixes both the client and server bug and can be applied to the Windows
version and to the Linux dedicated server:

  http://aluigi.altervista.org/patches/sof2-103-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Broadcast memory corruption in Soldier of Fortune II 1.03, Luigi Auriemma <=
Previous by Date:  [Full-Disclosure] Prozilla Remote Exploit, Serkan Akpolat
Next by Date:  Re: Changes to the filesystem while find is running - comments?, James Youngman
Previous by Thread:  [Full-Disclosure] Prozilla Remote Exploit, Serkan Akpolat
Next by Thread:  [Full-Disclosure] [USN-31-1] cyrus21-imapd vulnerabilities, Martin Pitt
Indexes:  [Date] [Thread] [Top] [All Lists]