Broadcast memory corruption in Soldier of Fortune II 1.03

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 11/23/04

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: signatures for Oracle Alert 68" 
    Date: Tue, 23 Nov 2004 18:54:31 +0000
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com, vuln@secunia.com

    #######################################################################

                                 Luigi Auriemma

    Application: Soldier of Fortune II
                  http://sof2.ravensoft.com
    Versions: <= 1.03 gold
    Platforms: Windows, Linux and MacOS
    Bug: memory corruption
    Exploitation: remote, versus server and clients (broadcast)
    Date: 23 November 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Soldier of Fortune II is a widely played FPS game developed by Raven
    Software (http://www.ravensoft.com) and released at May 2002.

    #######################################################################

    ======
    2) Bug
    ======

    The game is affected by a sprintf() overflow when handles a too big
    valid query or reply (in case it acts as server or client), but doesn't
    seem possible to execute remote code.

    The effects on the server can be the immediate match interruption
    (shutdown) caused by the overwriting of some game data or the crash
    (that doesn't happen on the Linux dedicated server) depending by the
    amount of data received from the attacker.

    A worst effect instead happens on clients, in fact the type and the
    location of the vulnerability lets a single attacker (visible in the
    online master server list) to passively crash any client in the world.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/sof2boom.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    The developers have not replied to my mails, so I have created a
    workaround (limiting from 1024 to 512 the amount of managed data) that
    fixes both the client and server bug and can be applied to the Windows
    version and to the Linux dedicated server:

      http://aluigi.altervista.org/patches/sof2-103-fix.zip

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Re: signatures for Oracle Alert 68"

    Relevant Pages

    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
      (comp.object)
    • This is going straight to the pool room
      ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
      (comp.os.vms)
    • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
      ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
      (Full-Disclosure)
    • Re: What doesnt lend itself to OO?
      ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
      (comp.object)
    • [Full-disclosure] Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1
      ... B] format string in logging ... A] versus both server and clients ... message sent to an user who has a malformed client IP string. ... message to himself doesn't seem to work for this bug) or in many other ...
      (Full-Disclosure)