####################################################################### Luigi Auriemma Application: Chaser http://www.chasergame.com Versions: <= 1.50 Platforms: Windows Bug: buffer-overflow Exploitation: remote, versus clients Date: 04 Mar 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Chaser is a first person shooter developed by Cauldron (http://www.cauldron.sk) using the CloakNT game engine and published by JoWood (http://www.jowood.com) in June 2003. ####################################################################### ====== 2) Bug ====== The problem is a buffer-overflow affecting the clients and happens when the client handles a big nickname of a player that has joined the server. The problem is fully exploitable if the attacker controls a malicious server but the most cool exploitation happens when an attacker joins the server using a player with a big name. The interesting thing in this case is that the packet used to join has a sign ("miso") located just (really unlucky) where the return address of the bugged function is overwritten. In short an attacker cannot exploit this bug to execute remote code but he will be able to crash immediately any client attached to the server he joins. When the server runs in game mode (so not dedicated) it will crash too just because in reality it is server and client at the same time. Another interesting thing related to the second type of attack is that is possible to exploit the vulnerability also versus servers protected by password without knowing the real keyword, while can be made nothing if the server is full. ####################################################################### =========== 3) The Code =========== http://aluigi.org/fakep/chaserfp.zip This proof-of-concept shows the second method I have explained, use the -d option to enable it. ####################################################################### ====== 4) Fix ====== No fix. This game is no longer supported. #######################################################################