#######################################################################

                             Luigi Auriemma

Applicazione: Halo: Combat Evolved
              http://www.microsoft.com/games/halo/default.asp
Versioni:     <= 1.04
Piattaforme:  Windows e MacOS
Bug:          off-by-one (Denial of Service)
Exploitation: remoto, contro server
Data:         09 Settembre 2004
Autore:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduzione
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduzione
===============


Halo e' il ben noto gioco sviluppato originariamente da Bungie Studios
e portato su PC da Gearbox Software (http://www.gearboxsoftware.com) e
pubblicato da Microsoft Games (http://www.microsoft.com/games/).
Il gioco e' stato rilasciato a Settembre 2003.


#######################################################################

======
2) Bug
======


UPDATE 02 sep 2007:

Halo is affected by an off-by-one vulnerability caused by the
conversion of the encryption hash received from the client to a hex
string using a buffer of exactly 32 bytes located before the canary
number used by the exception handler for verifying the happening of
buffer-overflows.
As already said the output buffer is 32 bytes long and the game adds a
NULL delimiter at the end of the buffer which overwrites one of the
bytes of the canary value causing the termination of the game and the
visualization of the well known error message.

Why this thing doesn't happen ever with normal connections too?
The answer is simple, the encryption hash used by Halo for encrypting
its packets is EVER composed by 0 bytes at its beginning, practically
only the last 2 or 3 bytes are non zero.
When the game receives the packet, it reads the first byte of the hash
and if it's not zero it does the hex conversion explained before.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/haloboom.zip


#######################################################################

======
4) Fix
======


Patch 1.05 per entrambe le versioni Win32 e MacOS:

  http://www.microsoft.com/games/halo/downloads.asp


#######################################################################