####################################################################### Luigi Auriemma Application: World in Conflict http://www.worldinconflict.com http://www.massgate.net Versions: <= 1.0.1.1 Platforms: Windows Bug: failed assertion Exploitation: remote, versus server Date: 16 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== World in conflict is a well known and played RTS game developed by Massive Entertainment (http://www.massive.se). It has been released in the 2007 and has been expanded (Soviet Assault) just some months ago. ####################################################################### ====== 2) Bug ====== The TCP port 48000 is used by the players for joining the server and its protocol is enough basic: reading of a field containing the type of data which follows, checking if it's the expected one and reading of the data. So when the client joins the server (out of order data) it sends the build number, the protocol version, the minor version, the password (if needed) and the rest of the other data like the nickname and the number of slots he wants to occupy (between 1 and 8, funny job for the fake players bug). If the client specifies a data type different than the expected one (for example "UI" instead of "UC") or sends an incomplete packet the server closes the connection and continues to work but if this happens after the reading of the password field it terminates due to the following failed assertion: .\MN_ReadMessage.cpp(886): Assert failed (0 && "Typecheck failed, wrong type") The bug is exploitable in any case, even if the password of the server is not known and the server is full. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/wicass2.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################