####################################################################### Luigi Auriemma Application: War Times http://www.lsgames.com Versions: <= 1.03 Platforms: Windows Bug: crash (unexploitable buffer-overflow) Exploitation: remote, versus server (in-game) Date: 17 May 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== War Times is a real-time strategy game developed by Legend Studios (http://www.lsgames.com) and released in March 2004. The publisher of the game was/is Strategy First (http://www.strategyfirst.com) but there are some problems with the developers, the (interesting) facts are explained here: http://www.lsgames.com/LS-SFI-termination.doc ####################################################################### ====== 2) Bug ====== The problem is caused by the absence of NULL delimiters in the text strings passed to the server. In this case if an attacker passes a nickname of 64 bytes (max data block size) the server crashes for a buffer-overflow resulted by the concatenation of this nickname with the IP address of the client. The exploitation of the buffer-overflow doesn't seem possible. A note is that the server doesn't crash immediately but only when another connection is made to it. The vulnerability is in-game so the attacker needs to know the server password if it's protected. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/wartimesboom.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the vendor. #######################################################################