####################################################################### Luigi Auriemma Application: Red Faction http://www.redfaction.com Versions: <= 1.20 Platforms: Windows, MacOS Bug: broadcast client buffer overflow Exploitation: remote and automatic, versus clients Date: 01 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Red Faction is a very cool FPS game developed by Volition (http://www.volition-inc.com) and published by THQ (http://www.thq.com). It has been released in September 2001. The main and most famous feature of this game is the possibility to destroy walls and other scenario's elements with bombs and rocket launchers... very funny and relaxing. ####################################################################### ====== 2) Bug ====== The problem is a broadcast client buffer overflow. Each client entering in the multiplayer menu of the game first contacts the master server to know what game servers are online and then asks informations to eachone of them. The reply of the servers contains a NULL terminated text string identifying the server name, if this string is major or equal than 260 chars the client will be victim of a buffer overflow vulnerability caused by the following memcpy() function (from 1.20 version): :0047B2D8 F3A5 rep movsd The attacker on the (passive) server will have full control over any client. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/rfcbof.zip ####################################################################### ====== 4) Fix ====== No fix. No replies from developers. #######################################################################