Limited \secure\ buffer-overflow in some old Monolith games

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 10/08/04

  • Next message: Kurt Lieber: "[ GLSA 200410-06 ] CUPS: Leakage of sensitive information"
    Date: Fri, 8 Oct 2004 19:11:20 +0000
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com, vuln@secunia.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Applications: Some old games developed by Monolith
                  http://www.lith.com
    Versions: - Alien versus Predator 2 <= 1.0.9.6
                  - Blood 2 <= 2.1
                  - No one lives forever <= 1.004
                  - Shogo <= 2.2
    Platforms: Windows
    Bug: limited buffer overflow
    Exploitation: remote, versus server
    Date: 08 October 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Monolith is the developer of the famous Lithtech engine.
    The games affected by the bug I'm going to explain have been released
    before the 2002 but are still very played online.

    #######################################################################

    ======
    2) Bug
    ======

    The bug is a classical buffer-overflow happening when an attacker sends
    a \secure\ Gamespy query followed by at least 68 chars.

    The limitation of this vulnerability is in the bytes that overwrite the
    small buffer because only those from 0x20 to 0x7f are allowed while the
    others are truncated during some internal steps.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/lithsec.zip

    #######################################################################

    ======
    4) Fix
    ======

    No official fix, probably these games are no longer supported and,
    however, I have received no reply from the developers.

    Fortunately creating a work-around for this bug is very easy because is
    only needed to set the "secure" string to NULL.
    The following are my unofficial patches:

     Alien versus Predator 2 1.0.9.6
        http://aluigi.altervista.org/patches/avp2-1096-fix.zip

     Blood 2 2.1
        http://aluigi.altervista.org/patches/blood2-21-fix.zip

     No one lives forever 1.004
        http://aluigi.altervista.org/patches/nolf1004-fix.zip

     Shogo 2.2
        http://aluigi.altervista.org/patches/shogo22-fix.zip

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: Kurt Lieber: "[ GLSA 200410-06 ] CUPS: Leakage of sensitive information"

    Relevant Pages

    • Re: Error handling in C
      ... of a bug whose fix would require so much developer time that it ... I would expect even the most meticulous game developer ... The cheapest point at which to fix the bug is the ... We're making a profit off of the ...
      (comp.lang.c)
    • Re: Error handling in C
      ... of a bug whose fix would require so much developer time that it ... I would expect even the most meticulous game developer ... The cheapest point at which to fix the bug is the ... such a minor bug at such great expense could produce ...
      (comp.lang.c)
    • Server termination in Raknet 2.33 (before 30 May 2005)
      ... Fix ... It has been used in many open and closed source games like those ... they use older versions of the library that don't contain the bug. ... An UDP packet of 0 bytes is able to freeze the game server. ...
      (Bugtraq)
    • Re: Error handling in C
      ... a bug whose fix would require so much developer time that it would ... In the unlikely event that such a bug were discovered, I would expect even the most meticulous game developer to make the same choice that Malcolm suggested, unless that game developer were insane, or at least a masochist. ... The problem here is not the bug, but the environment in which bug-fixing is so ludicrously expensive that it makes the bug uneconomic to fix in the short term. ... For instance, one program I'm responsible for processes 138 million packets per day, filtering out a few dozen corrupted packets per day. ...
      (comp.lang.c)
    • [Full-Disclosure] Limited secure buffer-overflow in some old Monolith games
      ... Some old games developed by Monolith ... Fix ... Monolith is the developer of the famous Lithtech engine. ... The games affected by the bug I'm going to explain have been released ...
      (Full-Disclosure)