#######################################################################

                             Luigi Auriemma

Application:  Carsten's 3D Engine
              http://www.ca3d-engine.de
Versions:     <= version March 2004
Platforms:    Windows and Linux
Bugs:         1) format string
              2) crash caused by non-terminated strings
Exploitation: remote, versus server (but probably versus client too)
Date:         03 Mar 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Carsten's 3D Engine (Ca3de) is a game engine written by Carsten Fuchs.


#######################################################################

=======
2) Bugs
=======

----------------
1) format string
----------------

Any command received by the server leads to a format string
vulnerability that can allow an attacker to execute remote code.


-----------------------------------------
2) crash caused by non-terminated strings
-----------------------------------------

The server is not able to handle the text strings received from the
clients and that don't contain the NULL delimiter. That causes an
access to a NULL pointer.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ca3dex.zip


#######################################################################

======
4) Fix
======


The fix will be implemented in the upcoming new version out in the next
weeks.


#######################################################################