SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   FreeSpace 2 Vendors:   Volition, Inc.
FreeSpace 2 Game Client Buffer Overflow Lets Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1009286
SecurityTracker URL:  http://securitytracker.com/id/1009286
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.2 and prior versions
Description:   Luigi Auriemma reported a buffer overflow vulnerability in FreeSpace 2. A malicious server can cause arbitrary code to be executed on a connected client.

It is reported that a remote server can send a specially crafted server name that is 180 characters or longer in a reply packet to trigger the buffer overflow.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/fs2cbof.zip

Impact:   A remote server can execute arbitrary code on a connected game client.
Solution:   No solution was available at the time of this entry.

The report indicates the FreeSpace 2 is no longer supported.

Vendor URL:  www.freespace2.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Client buffer overflow in Freespace 2 <= 1.2


#######################################################################

                              Luigi Auriemma

Application:  Freespace 2
               http://www.freespace2.com
Versions:     <= 1.2
Platforms:    Windows
Bug:          client buffer overflow
Risk:         high
Exploitation: remote, versus client
Date:         02 Mar 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Freespace 2 is a space combat game developed by Volition
(http://www.volition-inc.com) and is the latest successor of the old
and famous Descent game.

Note: Freespace 2 is enough old (1999) and, so, no more supported


#######################################################################

======
2) Bug
======


The bug is a buffer overflow happening when client receives
information replies from servers.
In fact if the server name contained in the UDP reply packet of the
server is major or equal than 180 chars the return address of the
vulnerable client function will be fully overwritten letting the
attacker on the server to gain full control of the victim.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/fs2cbof.zip


#######################################################################

======
4) Fix
======


No fix.
No replies from developers.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC