#######################################################################

                             Luigi Auriemma

Application:  GEM 3 engine
              http://eng.bestway.com.ua/index.php/game-engine/gem3
Games:        Majesty 2                                    <= 1.3.336.0
                http://www.majesty2.com
Platforms:    Windows
Bugs:         A] NULL pointer
              B] multiple failed assertions
              C] buffer overflow
Exploitation: remote, versus server
Date:         12 May 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


GEM 3 is the successor of the GEM game engine developed by Best Way
(http://bestway.com.ua).


#######################################################################

=======
2) Bugs
=======


The vulnerabilities are exactly the same I reported in the GEM 2 engine
here:
  http://aluigi.org/adv/gem2bugs-adv.txt


---------------
A] NULL pointer
---------------

An incomplete type of packet generates a NULL pointer dereference.


-----------------------------
B] multiple failed assertions
-----------------------------

The server can be terminated through various failed assertions caused
by packets with unavailable types of commands and too big or too small
sizes which raise some exceptions like the following:
  "undefined option type"

Differently than the GEM 2 engine doesn't seem possible to raise the
other exceptions (or I didn't find a way) like "Attempt to read beyond
the stream!" and "Invalid seek location!" but instead is possible to
silently make the server unable to accept other packets using the same
proof-of-concepts that in GEM 2 caused the first exception message.


------------------
C] buffer overflow
------------------

Through a particular type of packet is possible to overwrite some parts
of the memory allowing an attacker to control various registers and
function pointers with the possibility of executing malicious code.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/gembugs.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################