####################################################################### Luigi Auriemma Application: FunLabs games http://www.funlabs.com Games: 4X4 Off-road Adventure III Cabela's Big Game Hunter 2004 Season Cabela's Big Game Hunter 2005 Cabela's Dangerous Hunts Cabela's Deer Hunt 2005 Season Revolution Secret Service - In harm's Way Shadow Force: Razor Unit US Most Wanted: Nowhere To Hide ... possibly others Platforms: Windows Bugs: A] socket unreachable B] access to unallocated memory Exploitation: remote, versus server (B partially in-game) Date: 20 Mar 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== FunLabs is a software house that develops low-cost games usually published by Activision (http://www.activisionvalue.com). ####################################################################### ======= 2) Bugs ======= --------------------- A] socket unreachable --------------------- The engine uses an asynchronous socket through FIONREAD that returns the length of the latest packet received by the socket. If an attacker sends an empty UDP packet the server will be not able to know that a new packet is arrived (because ioctlsocket continues to return zero) and so it can no longer handle new packets. ------------------------------- B] access to unallocated memory ------------------------------- This partially in-game bug happens when an attacker sets the two 16 bit numbers inside the join packet to maximum values. Doing that forces the server to copy a bigger amount of data from the buffer that has received the packet to a new one but with an invalid access to the unallocated memory located after the shorter source buffer. That causes the immediate termination of the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/funlabsboom.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the vendor. #######################################################################