SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Medieval Total War Vendors:   Creative Assembly Limited, The
Medieval Total War Game Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1007898
SecurityTracker URL:  http://securitytracker.com/id/1007898
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 8 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.1 and prior versions
Description:   Two vulnerabilities were reported in the Medieval Total War game software. A remote user can crash the target server. A remote user can also crash a match before the match has started.

Luigi Auriemma reported that a remote user can send a nickname that is longer than 76 unicode characters to cause the target server to crash. This can occur during the "Lobby" screen before the start of a match, the report said.

It is also reported that a remote user can send a malformed nickname, such as a name that is zero characters in length, to the target server to cause a "Connection expired" message to be displayed to all player clients. The affected match must then be restarted and the players must rejoin the match.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/mtwdos-server.zip

The vendor has reportedly been notified.

Impact:   A remote user can cause the target server to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.totalwar.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Medieval Total War <= 1.1 broadcast crash


#######################################################################

                             Luigi Auriemma

Application:  Medieval Total War
              http://www.totalwar.com
Versions:     <= 1.1
Platforms:    Windows
Bug:          Remote crash of server and attached clients caused by
              long nickname
Risk:         Low/Medium
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medieval Total War is a real-time strategy game available on PC and is
developed by Creative Assembly.



#######################################################################

======
2) Bug
======


The MTW's players have access to the server only in a specific moment
and not during the execution of the game.
This moment is the Lobby screen before the starting of the match where
all the players can join.

The bug is in the management of the nicknames sent by the clients, in
fact a nickname longer than 76 unicode chars causes the immediate crash
of the server and of all the connected clients.

The problem seems to be in the access to unreacheable memory, and the
following is the instruction where happens the crash (using 76 chars):

:0x6b96f8     mov    eax,DWORD PTR [edx]

Both EAX and EDX are equal to 0.


Longer nicknames cause exceptions in other instructions but the problem
is ever the access to unreacheable memory.

In my tests doesn't seem possible to execute code because the registers
that are overwritten by the data are not important to change the
execution flow.


Side note: on Win98SE I have seen that a very long nickname (at least
250 unicode chars) causes a blue screen of the death.




#######################################################################

===========
3) The Code
===========


I have written a simple proof-of-concept that also lets you to specify
the amount of unicode chars to use in the nickname field.
Use a number major or equal than 76:

http://aluigi.altervista.org/poc/mtwdos-server.zip



#######################################################################

======
4) Fix
======


No fix.
I have contacted Creative Assembly a lot of months ago but they didn't
have the resources to patch these bugs.



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org





#######################################################################

                             Luigi Auriemma

Application:  Medieval Total War
              http://www.totalwar.com
Versions:     <= 1.1
Platforms:    Windows
Bug:          "Connection expired" message to server and connected
              clients caused by malformed nickname
Risk:         Low
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medieval Total War is a real-time strategy game available on PC and is
developed by Creative Assembly.



#######################################################################

======
2) Bug
======


The MTW's players have access to the server only in a specific moment
and not during the execution of the game.
This moment is the Lobby screen before the starting of the match where
all the players can join.

The bug is in the management of the nicknames sent by the clients, in
fact a malformed nickname (for example of a length of 0 unicode chars)
have a nice and interesting effect versus the server and all the
clients connected to it.

This effect is a message that will appear just in front of all the
players:

"Connection expired"

Then the server must restart the match and the players must rejoin
again.




#######################################################################

===========
3) The Code
===========


Use the following proof-of-concept specifying 0 as first command-line
argument:

http://aluigi.altervista.org/poc/mtwdos-server.zip



#######################################################################

======
4) Fix
======


No fix.
I have contacted Creative Assembly a lot of months ago but they didn't
have the resources to patch this bug.



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC