SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Purge Jihad Vendors:   Freeform Interactive LLC
Purge Jihad Broadcast Response Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009073
SecurityTracker URL:  http://securitytracker.com/id/1009073
CVE Reference:   CVE-2004-0290   (Links to External Site)
Updated:  Mar 26 2004
Original Entry Date:  Feb 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.1 and prior versions (also affecting Purge 1.4.7 and prior versions)
Description:   A buffer overflow vulnerability was reported in the Purge and Purge Jihad games. A remote game server can execute arbitrary code on a connected client system.

Luigi Auriemma reported that when a client sends a broadcast query to available game servers, a game server can respond with a specially crafted packet to trigger a buffer overflow and execute arbitrary code on the client system.

The 'battle type' and 'map name' fields are reportedly limited to 64 bytes but can be overflowed.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/purge-cbof.zip

Impact:   A remote game server can execute arbitrary code on a target client system when the target system broadcasts to the game server.
Solution:   The vendor has released a fixed version (2.0.2), available at:

http://www.purgeonline.net/download.shtml

Vendor URL:  www.purgeonline.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://aluigi.altervista.org/adv/purge-cbof-adv.txt


http://aluigi.altervista.org/adv/purge-cbof-adv.txt

#######################################################################

                              Luigi Auriemma

Applications: Purge and Purge Jihad
               http://www.purgeonline.net
Versions:     Purge       <= 1.4.7
               Purge Jihad <= 2.0.1
Platforms:    Windows
Bug:          broadcast client's buffer overflow
Risk:         highly critical
Exploitation: remote, versus clients (broadcast)
Date:         16 Feb 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Purge Jihad is a game developed by Freeform Interactive using the
Lithtech Talon graphic engine:

"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the
near future accounting a war between the diametrically opposed forces
of science-fiction (the Order) and fantasy (the Chosen)"


#######################################################################

======
2) Bug
======


The bug is a "broadcast" buffer-overflow affecting clients.
In fact each client that enters in the multiplayer screen automatically
contacts the master server and then sends a query to each available
online game server to know informations about the current match running
on it.

The attacker'server must simply reply to clients'requests with an
information packet containing 2 big fields: battle type and map name.
These fields in fact are managed by a vulnerable function that copies
the provided strings in a 64 bytes buffer not able to contain the
maximum size of 256 bytes of each field.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/purge-cbof.zip


#######################################################################

======
4) Fix
======


Purge Jihad 2.0.2


#######################################################################


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC