#######################################################################

                             Luigi Auriemma

Application:  Medieval Total War
              http://www.totalwar.com
Versions:     <= 1.1
Platforms:    Windows
Bug:          Client's crash and client's directory traversal
Date:         07 Oct 2003
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medieval Total War is a real-time strategy game available on PC and is
developed by Creative Assembly (http://www.creative-assembly.co.uk) and
published by Activision (http://www.activision.com).
It has been released in August 2002.


#######################################################################

======
2) Bug
======


The MTW's players have access to the server only in a specific moment
and not during the execution of the game.
This moment is the Lobby screen before the starting of the match where
all the players can join.

The bugs are 2:


A] Client's crash
-----------------
A malicious server can send a long map name (at least 70 unicode chars)
to all the clients that try to request informations.
When the client will pass the mouse over the server's name in the
servers'list, it will crash immediately.


B] Directory traversal
----------------------
When the client sends a request to the server, it will send an answer
containing also the path of a text file needed for the game as the
following example:

"campmap\startpos\Early.txt"

As is easily imagined, the game is vulnerable to a directory traversal
bug.
The only "malicious" effects I have found about this bug in this game
are the con\con bug on unpatched Win9x systems
(http://www.microsoft.com/technet/security/bulletin/MS00-017.asp) and
a temporary freeze if the the file pointed by the path is too big.


#######################################################################

===========
3) The Code
===========


A simple proof-of-concept is available here:

http://aluigi.org/poc/mtw2client.zip


#######################################################################

======
4) Fix
======


No fix.
I have contacted Creative Assembly a lot of months ago but they didn't
have the resources to patch these bugs.


#######################################################################