Endless loop and resources consumption in Halo 1.0.7.0615




#######################################################################

Luigi Auriemma

Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspx
Versions: <= 1.0.7.0615 (before 30 Jul 2008)
Platforms: Windows
Bugs: A] endless loop
B] resources consumption
Exploitation: remote, versus server
Date: 06 Aug 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
Although it has been released at the end of 2003, it's still one of the
most played games with hundreds of internet servers.


#######################################################################

=======
2) Bugs
=======

---------------
A] endless loop
---------------

The Halo server is affected by a problem in the handling of a type of
packet which can cause the bypassing of a check used to avoid the
reading of data outside the packet.
The result is an endless loop which freezes the application with CPU at
100%.


------------------------
B] resources consumption
------------------------

When a client occupies the player's slot after joininig the match, the
Halo server continues to send packets to it forever because it stops
only if an ICMP "destination unreachable" or a disconnection packet is
received (doesn't exist a timeout, this is the cause of the problem).
This has been tested personally by me and after a week I was still
receiving these packets because many servers have firewalls which block
ICMP and so there is no way to stop this problem except restarting the
server.

If the player has not occupied the slot yet (so before the handshake
performed by the Gamespy SDK), the sending of packets made by the
server is only 60 seconds long.

So if an attacker has disabled the outgoing ICMP packets, which is
default on any Windows with the firewall activated, he can consume a
part of the network bandwidth of the server and mainly its memory with
the consequent possible crash or hanging of the application.
Note that, as already said, a handshake is required for occupying the
slot so is not possible to spoof the packets which instead is possible
for the second method of the 60 seconds.


#######################################################################

===========
3) The Code
===========


A] http://aluigi.org/poc/haloloop3.zip

B] http://aluigi.org/poc/halonso.zip


#######################################################################

======
4) Fix
======


The hotfix released the 30th July 2008 solves these problems.
Note that this hotfix has the same version number of the previous one
released a month before for the haloloop2 bug: 1.0.7.0615.


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://backup.aluigi.org
http://mirror.aluigi.org



Relevant Pages

  • Re: Diagnose co-location networking problem
    ... it was from the client. ... Actually there's significant indication of lost packets and clues that ... 540 retransmit timeouts ... are you using any packetfiltering on the server? ...
    (freebsd-net)
  • Re: Improving FreeBSD NFS performance (esp. directory updates)
    ... >> I don't think the network is at fault, nor is the server really going ... 155645171 data packets ... discarded for bad header offset fields ... 790 connections established ...
    (freebsd-questions)
  • Re: IP Spoofing
    ... That would be enough if the purpose of the request was e.g. to delete a database by SQL injection. ... You would not need to keep it in 7 packets, merely to send in a TCP window - pretty large these days, BUT you would also need to cut in on an existing ESTABLISHED session. ... it is quite possible to send packets to the server without anything. ...
    (comp.lang.php)
  • Re: Problem with writing fast UDP server
    ... UDP packets per second. ... socket and threads. ... I wrote a simple case test: client and server. ... The maximum theoretical limit is 14,880 frames per ...
    (comp.lang.python)
  • Re: IP Spoofing
    ... That would be enough if the purpose of the request was e.g. to delete a database by SQL injection. ... You would not need to keep it in 7 packets, merely to send in a TCP window - pretty large these days, BUT you would also need to cut in on an existing ESTABLISHED session. ... it is quite possible to send packets to the server without anything. ...
    (comp.lang.php)