Medieval Total War <= 1.1 broadcast crash

From: Luigi Auriemma (aluigi_at_altervista.org)
Date: 10/07/03

  • Next message: dave_at_immunitysec.com: "Re: The joys of impurity (was: MOSDEF, InlineEgg)"
    Date: Tue, 7 Oct 2003 17:33:21 +0000
    To: bugtraq@securityfocus.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Medieval Total War
                  http://www.totalwar.com
    Versions: <= 1.1
    Platforms: Windows
    Bug: Remote crash of server and attached clients caused by
                  long nickname
    Risk: Low/Medium
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Medieval Total War is a real-time strategy game available on PC and is
    developed by Creative Assembly.

    #######################################################################

    ======
    2) Bug
    ======

    The MTW's players have access to the server only in a specific moment
    and not during the execution of the game.
    This moment is the Lobby screen before the starting of the match where
    all the players can join.

    The bug is in the management of the nicknames sent by the clients, in
    fact a nickname longer than 76 unicode chars causes the immediate crash
    of the server and of all the connected clients.

    The problem seems to be in the access to unreacheable memory, and the
    following is the instruction where happens the crash (using 76 chars):

    :0x6b96f8 mov eax,DWORD PTR [edx]

    Both EAX and EDX are equal to 0.

    Longer nicknames cause exceptions in other instructions but the problem
    is ever the access to unreacheable memory.

    In my tests doesn't seem possible to execute code because the registers
    that are overwritten by the data are not important to change the
    execution flow.

    Side note: on Win98SE I have seen that a very long nickname (at least
    250 unicode chars) causes a blue screen of the death.

    #######################################################################

    ===========
    3) The Code
    ===========

    I have written a simple proof-of-concept that also lets you to specify
    the amount of unicode chars to use in the nickname field.
    Use a number major or equal than 76:

    http://aluigi.altervista.org/poc/mtwdos-server.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    I have contacted Creative Assembly a lot of months ago but they didn't
    have the resources to patch these bugs.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: dave_at_immunitysec.com: "Re: The joys of impurity (was: MOSDEF, InlineEgg)"

    Relevant Pages

    • [Un] Unangband 0.6.3 released
      ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
      (rec.games.roguelike.announce)
    • please pull from the trivial tree
      ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
      (Linux-Kernel)
    • Subterrane v0.194 Alpha Released
      ... system, a character sheet, a ton of new spells, new monsters, item ... Added a character sheet that displays your character's ... Fix: Fixed a bug in the encumbrance calculation and status display ...
      (rec.games.roguelike.announce)
    • Re: Larkin, Power BASIC cannot be THAT good:
      ... If they did not produce a product with *adequate* quality then customers would not buy it and the company would not make a profit. ... it is to change a product in the field, and Y axis is bug density. ... but when the in service fix is almost free to the supplier then they will exploit that to their advantage. ... On-screen programming is pretty much type and ignite and see what ...
      (sci.electronics.design)
    • Unangband 0.6.2-wip7a has been released
      ... This release is mostly a bug fix revision to wip7, however, I was able ... You can now use the run command to 'step' into an adjacent monster, ... The player only suffers a monster disease if the monster disease ... Fix up some animal speech sayings. ...
      (rec.games.roguelike.announce)