#######################################################################

                             Luigi Auriemma

Application:  Halo: Combat Evolved
              http://www.microsoft.com/games/halo/default.asp
Versions:     <= 1.04
Platforms:    Windows and MacOS
Bug:          off-by-one (Denial of Service)
Exploitation: remote, versus server
Date:         09 September 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Halo is the widely known game originally developed by Bungie Studios
and ported on PC by Gearbox Software (http://www.gearboxsoftware.com)
and published by Microsoft Games (http://www.microsoft.com/games/).
The game has been released in September 2003.


#######################################################################

======
2) Bug
======


UPDATE 02 sep 2007:

Halo is affected by an off-by-one vulnerability caused by the
conversion of the encryption hash received from the client to a hex
string using a buffer of exactly 32 bytes located before the canary
number used by the exception handler for verifying the happening of
buffer-overflows.
As already said the output buffer is 32 bytes long and the game adds a
NULL delimiter at the end of the buffer which overwrites one of the
bytes of the canary value causing the termination of the game and the
visualization of the well known error message.

Why this thing doesn't happen ever with normal connections too?
The answer is simple, the encryption hash used by Halo for encrypting
its packets is EVER composed by 0 bytes at its beginning, practically
only the last 2 or 3 bytes are non zero.
When the game receives the packet, it reads the first byte of the hash
and if it's not zero it does the hex conversion explained before.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/haloboom.zip


#######################################################################

======
4) Fix
======


Patch 1.05 for both Win32 and MacOS:

  http://www.microsoft.com/games/halo/downloads.asp


#######################################################################