####################################################################### Luigi Auriemma Application: Chaser http://www.chasergame.com Versions: <= 1.50 Platforms: Windows Bug: crash (reading of unallocated memory) Exploitation: remote, both server and client are vulnerables Date: 03 Feb 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Chaser is a first person shooter developed by Cauldron (http://www.cauldron.sk) using the CloakNT game engine and published by JoWood (http://www.jowood.com) in June 2003. ####################################################################### ====== 2) Bug ====== The structure of a Chaser packet is like the following: 00 00 00 00 00 ff 00 00 | | | size of the data starting at offset 14 16 bit checksum http://aluigi.org/papers/chaser_crc.h The problem is just in the value specifying the size of the data in fact if it is too big the game will read all the amount of data specified and will reach an unallocated memory zone that will cause an exception. The following is the instruction that causes the crash in the dedicated server 1.50: :0050C89F F3A5 rep movsd Note that the resulted buffer-overflow doesn't seem exploitable because the attacker has no direct control over the value that will be taken by EIP. ####################################################################### =========== 3) The Code =========== To test the Chaser server: http://aluigi.org/poc/chasercrash.zip The vulnerability affects also the client but naturally the dangerousness is really minimale, I have released a proof-of-concept also to test this case: http://aluigi.org/poc/chaser-client.zip ####################################################################### ====== 4) Fix ====== No fix. Cauldron has not replied to my mails. #######################################################################