Off-by-one bug in Halo 1.04

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 09/09/04

Next message: Criolabs: "SQL-Injection in Subjects 2.0 for Postnuke"

Previous message: http-equiv_at_excite.com: "Re: FW: [Unpatched] Shell and Drag'n'Drop vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 9 Sep 2004 20:05:51 +0000
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com

#######################################################################

Luigi Auriemma

Application: Halo: Combat Evolved
              http://www.bungie.net/Games/HaloPC/
Versions: <= 1.4
Platforms: Windows and MacOS
Bug: off-by-one (Denial of Service)
Risk: medium/high
Exploitation: remote, versus server
Date: 09 September 2004
Author: Luigi Auriemma
              e-mail: aluigi@altervista.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Halo is the widely known game originally developed by Bungie Studios
and ported on PC by Gearbox Software (http://www.gearboxsoftware.com).
It has been released in September 2003.

#######################################################################

======
2) Bug
======

Halo uses the Gamespy SDK and moreover the handshake algorithm provided
in this library (http://aluigi.altervista.org/papers/gssdkcr.h) to let
players to join servers.

The off-by-one bug is located just in the client's response (the last
stage of this handshake) because if it is longer than 32 bytes causes
the immediate crash of the server.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/haloboom.zip

#######################################################################

======
4) Fix
======

Patch 1.05 for both Win32 and MacOS.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

Next message: Criolabs: "SQL-Injection in Subjects 2.0 for Postnuke"

Previous message: http-equiv_at_excite.com: "Re: FW: [Unpatched] Shell and Drag'n'Drop vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] Off-by-one bug in Halo 1.04
... Exploitation: remote, versus server ... Bug ... Fix ... Halo is the widely known game originally developed by Bungie Studios ...
(Full-Disclosure)
Off-by-one bug in Halo 1.04
... Exploitation: remote, versus server ... Bug ... Fix ... Halo is the widely known game originally developed by Bungie Studios ...
(Full-Disclosure)
Need for Speed Hot pursuit 2 <= 242 clients buffer overflow
... Bug ... Fix ... long string in the informations replied by the server. ... the clients automatically request informations to the ...
(Bugtraq)
[Full-disclosure] Format string bug in Skulltag 0.96f
... Bug ... Fix ... The server is affected by a format string vulnerability exploitable ... The exploitation happens "outside" the server so there are no banning ...
(Full-Disclosure)
[Full-Disclosure] Crash in Lords of the Realm III 1.01
... Exploitation: remote, versus server ... Bug ... Fix ...
(Full-Disclosure)