####################################################################### Luigi Auriemma Application: Codename Eagle http://global.dice.se/games/codenameeagle/ Versions: <= 1.42 Platforms: Windows Bug: socket unreachable Exploitation: remote, versus server Date: 11 December 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Codename Eagle is a nice game devleoped by Refraction Games and distribuited by Take-Two (http://www.take2games.com). It has been released at the end of 1999. ####################################################################### ====== 2) Bug ====== The game uses a loop for the interception and the reading of the socket's data: if(ioctlsocket(sock, FIONREAD, &len) < 0) socket_error(); // error if(len) { // if len is different than zero is ok // read socket } The ioctlsocket() function is used to know if new data has been received by the socket and their amount. For example, if a client sends an UDP packet of 10 bytes, ioctlsocket() will find 10 bytes in the socket's queue so len will contain 10 and then will be made all the needed operations since len is different than 0. After that, len will continue to be 0 until new data will be received. The problem happens when an attacker sends an UDP packet of 0 bytes, in fact len now will contain the new size of the data received that is 0 and so the if(len) check will fail and ioctlsocket() will return a len of 0 bytes forever since the socket's queue is cleared ONLY after calling the recvfrom() function that has been bypassed. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ceaglesock.zip ####################################################################### ====== 4) Fix ====== No fix. This game is no longer supported. I have released a work-around (and I repeat, only a work-around) for the version 1.41/1.42: http://aluigi.org/patches/ceaglesockfix.zip #######################################################################