SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Chaser Vendors:   chasergame.com
Chaser Game Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1008928
SecurityTracker URL:  http://securitytracker.com/id/1008928
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 3 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.50 and prior versions
Description:   A denial of service vulnerability was reported in the Chaser game client and server. A remote user can cause the target application to crash.

Luigi Auriemma reported that a remote user can send a specially crafted data size parameter to cause the target system to crash. Both the client and server software is affected, according to the report.

A demonstration exploit for the server is available at:

http://aluigi.altervista.org/poc/chasercrash.zip

A demonstration exploit for the client is available at:

http://aluigi.altervista.org/poc/chaser-client.zip

The vendor has reportedly been notified without response.

Impact:   A remote user can cause the server or the client to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.chasergame.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Remote crash of Chaser game <= 1.50



#######################################################################

                             Luigi Auriemma

Application:  Chaser
              http://www.chasergame.com
Versions:     <= 1.50
Platforms:    Windows
Bug:          crash (reading of unallocated memory)
Risk:         high
Exploitation: remote, both server and client are vulnerables
Date:         03 Feb 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.


#######################################################################

======
2) Bug
======


The structure of a Chaser packet is like the following:

00 00 00 00 00 ff 00 00
   |              |
   |              size of the data starting at offset 14
   16 bit checksum
   http://aluigi.altervista.org/papers/chaser_crc.h

The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:

:0050C89F F3A5                    rep movsd


#######################################################################

===========
3) The Code
===========


To test the Chaser server:

http://aluigi.altervista.org/poc/chasercrash.zip

The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:

http://aluigi.altervista.org/poc/chaser-client.zip


#######################################################################

======
4) Fix
======


No fix.
Cauldron has not replied to my mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC