SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Game)  >   Monolith Games (Various) Vendors:   Monolith Productions, Inc.
Monolith Games Have Buffer Overflow in '/secure/' Command That Lets Remote Users Crash the Game
SecurityTracker Alert ID:  1011603
SecurityTracker URL:  http://securitytracker.com/id/1011603
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   Luigi Auriemma reported some buffer overflow vulnerabilities in several Monolith games. A remote user can cause the game to crash and may be able to execute arbitrary code.

It is reported that a remote user can send a '\secure\' Gamespy query followed by 68 characters or more to trigger a buffer overflow. Only certain bytes can be used in overwriting the buffer.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/lithsec.zip

Affected games and versions include Alien versus Predator 2 (1.0.9.6 and prior versions), Blood 2 (2.1 and prior versions), No one lives forever (1.004 and prior versions), and Shogo (2.2 and prior versions).

The vendor was notified without response.
Impact:   A remote user can cause the game to crash. A remote user may be able to execute arbitrary code on the target system.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided unofficial patches.

For Alien versus Predator 2 1.0.9.6:

http://aluigi.altervista.org/patches/avp2-1096-fix.zip

For Blood 2 2.1:

http://aluigi.altervista.org/patches/blood2-21-fix.zip

For No one lives forever 1.004:

http://aluigi.altervista.org/patches/nolf1004-fix.zip

For Shogo 2.2:

http://aluigi.altervista.org/patches/shogo22-fix.zip
Vendor URL:  www.lith.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 8 Oct 2004 19:11:20 +0000
Subject:  Limited \secure\ buffer-overflow in some old Monolith games



#######################################################################

                             Luigi Auriemma

Applications: Some old games developed by Monolith
              http://www.lith.com
Versions:     - Alien versus Predator 2                      <= 1.0.9.6
              - Blood 2                                      <= 2.1
              - No one lives forever                         <= 1.004
              - Shogo                                        <= 2.2
Platforms:    Windows
Bug:          limited buffer overflow
Exploitation: remote, versus server
Date:         08 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.


#######################################################################

======
2) Bug
======


The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.

The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/lithsec.zip


#######################################################################

======
4) Fix
======


No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.

Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:

 Alien versus Predator 2   1.0.9.6
    http://aluigi.altervista.org/patches/avp2-1096-fix.zip

 Blood 2                   2.1
    http://aluigi.altervista.org/patches/blood2-21-fix.zip

 No one lives forever      1.004
    http://aluigi.altervista.org/patches/nolf1004-fix.zip

 Shogo                     2.2
    http://aluigi.altervista.org/patches/shogo22-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC