#######################################################################

                             Luigi Auriemma

Application:  S.T.A.L.K.E.R.: Clear Sky
              http://cs.stalker-game.com/en/
Versions:     Clear Sky <= 1.5.10 (aka 1.0010)
              (Shadow of Chernobyl has not been tested)
Platforms:    Windows
Bug:          buffer overflow in cdkey authentication
Exploitation: remote, versus server
Date:         22 Jul 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


S.T.A.L.K.E.R. is a famous FPS game series developed by GSC Game World
(http://www.gsc-game.com) composed by Shadow of Chernobyl, Clear Sky
and a new sequel (Call of Pripyat) not far from the release.


#######################################################################

======
2) Bug
======


The game is affected by a stack based buffer-overflow vulnerability
located in the function which handles the cdkey hash sent by the
clients for the authentication with the Gamespy master server.
Here the string contained in the packet is copied by the
xrCore.NET_Packet::r_stringZ function into a buffer of about 128 bytes.

The attacker needs to join the server for exploiting this vulnerability
so if the server is protected by password he must know the right
keyword.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/stalkerbof.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################