[Full-disclosure] Heap overflow in Skulltag 0.97d-beta4.1

---

• From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
• Date: Fri, 24 Aug 2007 01:19:47 +0200

---

#######################################################################

Luigi Auriemma

Application: Skulltag
http://www.skulltag.com
Versions: <= 0.97d-beta4.1
Platforms: Windows and Linux
Bug: heap-overflow
Exploitation: remote, versus server
Date: 23 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Skulltag is a well known and played Doom engine mainly based on Zdoom
(but not open source as it) and focused on online gaming.


#######################################################################

======
2) Bug
======


The game is vulnerable to a heap overflow located in the function which
performs the huffman decompression of the incoming packets, allowing
possible malicious code execution through a single UDP packet.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/skulltaghof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have not been contacted since one year ago the format string
vulnerability I reported to them was handled as a normal bug and the
patch was released some months after my advisory.


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Prev by Date: [Full-disclosure] rPSA-2007-0169-1 xterm
• Next by Date: [Full-disclosure] Multiple denial of service in Soldat 1.4.2/2.6.2
• Previous by thread: [Full-disclosure] rPSA-2007-0169-1 xterm
• Next by thread: [Full-disclosure] Multiple denial of service in Soldat 1.4.2/2.6.2
• Index(es):
  • Date
  • Thread

---

Relevant Pages Heap overflow in Skulltag 0.97d-beta4.1 ... Luigi Auriemma ... Bug ... Fix ... Skulltag is a well known and played Doom engine mainly based on Zdoom ... (Bugtraq) [Full-disclosure] Server freezed in Skulltag 0.97d2-RC2 ... Luigi Auriemma ... Exploitation: remote, versus server ... Bug ... Skulltag is a port of the original Doom mainly focused on multiplayer ... (Full-Disclosure) Server freezed in Skulltag 0.97d2-RC2 ... Luigi Auriemma ... Exploitation: remote, versus server ... Bug ... Skulltag is a port of the original Doom mainly focused on multiplayer ... (Bugtraq) [Full-disclosure] Buffer-overflow in ASUS Remote Console 2.0.0.24 ... Luigi Auriemma ... Application: ASUS Remote Console ... Bug ... Fix ... (Full-Disclosure) Buffer-overflow in ASUS Remote Console 2.0.0.24 ... Luigi Auriemma ... Application: ASUS Remote Console ... Bug ... Fix ... (Bugtraq)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2007-08