####################################################################### Luigi Auriemma Application: Soldier of Fortune II http://www.ravensoft.com/soldier2.html Versions: <= 1.03 gold Platforms: Windows, Linux and MacOS Bug: memory corruption Exploitation: remote, versus server and clients (broadcast) Date: 23 November 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Soldier of Fortune II is a widely played FPS game developed by Raven Software (http://www.ravensoft.com) and published by Activision (http://www.activision.com). It has been released at May 2002. ####################################################################### ====== 2) Bug ====== The game is affected by a sprintf() overflow when handles a too big valid query or reply (in case it acts as server or client), but doesn't seem possible to execute remote code. The effects on the server can be the immediate match interruption (shutdown) caused by the overwriting of some game data or the crash (that doesn't happen on the Linux dedicated server) depending by the amount of data received from the attacker. A worst effect instead happens on clients, in fact the type and the location of the vulnerability lets a single attacker (visible in the online master server list) to passively crash any client in the world. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sof2boom.zip ####################################################################### ====== 4) Fix ====== No fix. The developers have not replied to my mails, so I have created a workaround (limiting from 1024 to 512 the amount of managed data) that fixes both the client and server bug and can be applied to the Windows version and to the Linux dedicated server: http://aluigi.org/patches/q3infofix.lpatch #######################################################################