#######################################################################

                             Luigi Auriemma

Application:  Halo: Combat Evolved
              http://www.microsoft.com/games/pc/halo.aspx
Versions:     <= 1.05
Platforms:    Windows and MacOS
Bug:          crash
Exploitation: remote, versus clients (broadcast)
Date:         22 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com) and published by
Microsoft Games (http://www.microsoft.com/games/).
It has been released at the end of 2003.


#######################################################################

======
2) Bug
======


The problem affects the in-game browser of the clients used to navigate
through the list of online servers and is caused by some overrun
protections. If these instructions find a too long value in a server's
reply, they pass a NULL pointer (instead of the original value) to a
wcsncpy() function causing the crash.

This is a broadcast client crash, so a single attacker visible in the
master server list can passively exploit any vulnerable client in the
world.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/halocboom.zip


#######################################################################

======
4) Fix
======


Version 1.06


#######################################################################