####################################################################### Luigi Auriemma Application: Alien versus Predator http://www.sega.com/games/aliens-vs-predator/ Versions: <= 2.22 (build Apr 26 2010) Platforms: Windows Bugs: A] invalid memory access in packet 0x66 B] out of memory allocation in packet 0x66 C] NULL pointer in packet 0x66 D] NULL pointer in packet 0x0c E] invalid memory access in packet 0x0c Exploitation: remote, versus server Date: 07 May 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Alien versus Predator (aka avp3) is the recent game developed by Rebellion (http://rebellion.co.uk) and released in February 2010. ####################################################################### ======= 2) Bugs ======= --------------------------------------- A] invalid memory access in packet 0x66 --------------------------------------- The packet 0x66 is used for sending the Steam ticket to the server, and the size of such ticket is a 32bit field read by the server, allocated with an alignment of 0x400 and then copied from the packet into the new memory. If the specified ticket size is bigger than the memory where is located the source packet (about 1800 bytes) then the server will crash due to the tentative of reading over the allocated memory. Exist also some variants caused by the usage of negative values (sometimes it's necessary to resend the packet to see their effects) where happen other crashes caused by the access to different places of memory. ------------------------------------------ B] out of memory allocation in packet 0x66 ------------------------------------------ Exactly as above, but if the memory can't be allocated the server will terminate immediately with the following error: "***** OUT OF MEMORY! attempted allocation size: %u ****" ------------------------------ C] NULL pointer in packet 0x66 ------------------------------ If the packet containing the Steam ticket is smaller than the minimum expected (for example 0 bytes) then the server will crash due to a NULL pointer dereference. ------------------------------ D] NULL pointer in packet 0x0c ------------------------------ Another NULL pointer dereference can be exploited with a too small 0xc packet (used for sending messages and so on). --------------------------------------- E] invalid memory access in packet 0x0c --------------------------------------- The 0x0c packet has a field that contains the number of chars that compose the chat message sent by the client. The server takes this 32bit field, checks if it's lower/equal than 0x800 and then launches a checksum function over the received chat message using this specific size. The problem is that the packets used in the game have a size of max 0x400 bytes so 0x800 (which is the limit chosed by developers probably in confusion with the max size of the packets and the fact that the messages are in 16bit unicode, so 0x400 * 2) goes over the memory allocated for the incoming packet. The result is the crash of the server due to the reading access of the unallocated memory after the packet. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/avp3dos.zip ####################################################################### ====== 4) Fix ====== No fix. UPDATE 23 Jun 2010: fixed in 2.26 #######################################################################