SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Red Faction Vendors:   THQ Inc.
Red Faction Game Server Can Execute Arbitary Code on a Connected Client
SecurityTracker Alert ID:  1009273
SecurityTracker URL:  http://securitytracker.com/id/1009273
CVE Reference:   CVE-2004-0345   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Mar 1 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.20 and prior versions
Description:   Luigi Auriemma reported a buffer overflow vulnerability in Red Faction. A remote server can execute arbitrary code on a connected client.

It is reported that when a client connects to a game server to play a multiplayer game, the server can return a specially crafted server name string that is 260 characters or more to trigger a buffer overflow. The server can execute arbitrary code on the client.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/rfcbof.zip

Impact:   A malicious game server can execute arbitrary code on a connected client.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.redfaction.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Apple (Legacy "classic" Mac), UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Clients broadcast buffer overflow in Red Faction <= 1.20



#######################################################################

                             Luigi Auriemma

Application:  Red Faction
              http://www.redfaction.com
Versions:     <= 1.20
Platforms:    Windows, MacOS
Bug:          broadcast client buffer overflow
Risk:         highly critical
Exploitation: remote and automatic, versus clients
Date:         01 Mar 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Red Faction is a very cool FPS game developed by Volition
(http://www.volition-inc.com).
The main and most famous feature of this game is the possibility to
destroy walls and other scenario's elements with bombs and rocket
launchers... very funny and relaxing.


#######################################################################

======
2) Bug
======


The problem is a broadcast client buffer overflow.
Each client entering in the multiplayer menu of the game first contacts
the master server to know what game servers are online and then asks
informations to eachone of them.
The reply of the servers contains a NULL terminated text string
identifying the server name, if this string is major or equal than 260
chars the client will be victim of a buffer overflow vulnerability
caused by the following memcpy() function (from 1.20 version):

:0047B2D8 F3A5                    rep movsd

The attacker on the (passive) server will have full control over any
client.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/rfcbof.zip


#######################################################################

======
4) Fix
======


No fix.
No replies from developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC