[Full-Disclosure] Off-by-one bug in Halo 1.04

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 09/09/04

  • Next message: Rainer Duffner: "Re: [Full-Disclosure] Teen hacker controls ebay"
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com
    Date: Thu, 9 Sep 2004 20:05:51 +0000
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Halo: Combat Evolved
                  http://www.bungie.net/Games/HaloPC/
    Versions: <= 1.4
    Platforms: Windows and MacOS
    Bug: off-by-one (Denial of Service)
    Risk: medium/high
    Exploitation: remote, versus server
    Date: 09 September 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Halo is the widely known game originally developed by Bungie Studios
    and ported on PC by Gearbox Software (http://www.gearboxsoftware.com).
    It has been released in September 2003.

    #######################################################################

    ======
    2) Bug
    ======

    Halo uses the Gamespy SDK and moreover the handshake algorithm provided
    in this library (http://aluigi.altervista.org/papers/gssdkcr.h) to let
    players to join servers.

    The off-by-one bug is located just in the client's response (the last
    stage of this handshake) because if it is longer than 32 bytes causes
    the immediate crash of the server.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/haloboom.zip

    #######################################################################

    ======
    4) Fix
    ======

    Patch 1.05 for both Win32 and MacOS.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Rainer Duffner: "Re: [Full-Disclosure] Teen hacker controls ebay"

    Relevant Pages