[NEWS] Buffer Overflow In Soldier Of Fortune II

From: SecuriTeam (support_at_securiteam.com)
Date: 03/22/05

  • Next message: SecuriTeam: "[NEWS] GIMP Denial Of Service Vulnerability (GIF Zero Width or Height )" 
    To: list@securiteam.com
Date: 22 Mar 2005 19:08:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow In Soldier Of Fortune II
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ravensoft.com> Soldier of Fortune II is a widely played FPS
    game released in May 2002.

    The Soldier of Fortune II game server can be crashed by sending a big
    cl_guid value.

    DETAILS

    Vulnerable Systems:
     * Soldier Of Fortune II Version 1.03 gold and lower.

    Sending the server a request with a big cl_guid value can crash the game
    server.

    Exploit Code:
    An exploit code for this vulnerability can be found at:
     <http://aluigi.altervista.org/poc/sof2guidboom.zip>
    http://aluigi.altervista.org/poc/sof2guidboom.zip

    Vendor Status:
    The game is still "officially" unpatched from months so it can be declared
    no longer supported.
    An unofficial work-around only for the Windows version can be found here:
    <http://aluigi.altervista.org/patches/sof2-103-guidfix.zip>
    http://aluigi.altervista.org/patches/sof2-103-guidfix.zip
    The workaround checks the length of the cl_guid value and reject clients
    that send a value bigger than 64 bytes (the max size of the cl_guid
    buffer).

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] GIMP Denial Of Service Vulnerability (GIF Zero Width or Height )"

    Relevant Pages

    • [NT] Multiple vulnerabilities in Hired Team: Trial
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Hired Team is a nice FPS game developed by New Media ... allows an attacker to join a server (that doesn't have password support, ... Each time a new player joins, the server assigns an UDP port to him ...
      (Securiteam)
    • [NT] Soldier of Fortune II Broadcast Memory Corruption Bug
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A denial of service attack is possible on the server when issuing a very ... The game is affected by a sprintfoverflow when handling a very big ... int main{ ...
      (Securiteam)
    • [NT] Server Termination in Scrapland
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The main problem of the game is that the server terminates after any error ... int main{ ...
      (Securiteam)
    • [NEWS] Gamespy SDK Cd-Key Validation Toolkit Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Gamespy's CDKey validation toolkit is an SDK ... The problem begins by an overly long reply sent by the game client to the ... int main{ ...
      (Securiteam)
    • [NT] Yager Multiple Vulnerabilities (Multiple Buffer Overflows and DoS)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The game Yager contains multiple buffer overflows that allow attackers to ... Data Block Buffer Overflow: ...
      (Securiteam)