Server termination in Raknet 2.33 (before 30 May 2005)

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 06/05/05

  • Next message: C.J. Steele, CISSP: "`tattle` -- automatic reporting of SSH brute-force attacks"
    Date: Sun, 5 Jun 2005 13:23:41 +0200
    To: bugtraq@securityfocus.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Raknet network library
                  http://www.rakkarsoft.com
    Versions: <= 2.33 (before 30 May 2005)
                  the bug has been introduced in some recent updates but
                  is not known what is the exact first vulnerable version
    Platforms: Windows and Unix
    Bug: server termination and endless loop
    Exploitation: remote, versus server
    Date: 05 June 2005
    Author: Luigi Auriemma
                  e-mail: aluigi@autistici.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Raknet is a multi-license (GPL, shareware and commercial) network
    library for games developed by Rakkarsoft.
    It has been used in many open and closed source games like those
    developed by nFusion (http://www.n-fusion.com).
    Just the recent game of this software house, Elite Warriors: Vietnam
    (http://www.n-fusion.com/nFusion/ewvstory.html), released in March 2005
    is one of the vulnerable games (versions <= 1.03).
    Anyway the older games developed by nFusion are not vulnerable since
    they use older versions of the library that don't contain the bug.

    #######################################################################

    ======
    2) Bug
    ======

    An UDP packet of 0 bytes is able to freeze the game server.
    The problem is that when an empty packet is received the server should
    close the socket and return to the main menu (the first bug) but before
    doing that it enters in an endless loop that executes Sleep(10) until
    the main thread is active (but never terminates).

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/rakzero.zip

    #######################################################################

    ======
    4) Fix
    ======

    Version 2.33 (05/30/2005).
    The version number has not been changed so be sure to have the patched
    version released the 30 May 2005 or later.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: C.J. Steele, CISSP: "`tattle` -- automatic reporting of SSH brute-force attacks"

    Relevant Pages