SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Chrome Video Game Vendors:   Techland
Chrome Game Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1009487
SecurityTracker URL:  http://securitytracker.com/id/1009487
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.2.0.0 and prior versions
Description:   Luigi Auriemma reported a vulnerability in the Chrome game server. A remote user can cause the game server to crash.

It is reported that a remote user can supply a specially crafted value to cause a memory read or write error and crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/chromeboom.zip

The vendor is reportedly aware of the vulnerability.

Impact:   A remote user can cause the game service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.chromethegame.com/ (Links to External Site)
Cause:   Boundary error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Chrome 1.2.0.0 server crash



#######################################################################

                              Luigi Auriemma

Application:  Chrome
               http://www.chromethegame.com
Versions:     <= 1.2.0.0
Platforms:    Windows
Bug:          reading and writing into unallocated memory (crash)
Risk:         medium/high
Exploitation: remote, versus server
Date:         18 Mar 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Chrome is a cool game developed by Techland (http://www.techland.pl)
and is a futuristic FPP (First Person Perspective) shooting game whose
takes action on a planet of another solar system called Valkyria.


#######################################################################

======
2) Bug
======


The problem is located in the following instructions:

   buff = malloc(value);
   memcpy(buff, packet + 8, value);

where "buff" is the new allocated buffer, "value" is a 32 bit number
located at offset 4 of the packet sent by the client and "packet" is
just this packet.
Now we have 2 interesting effects that have the same result (server's
crash):

- if "value" is too big the malloc() function will fail and there are
   no instructions to check it so the game will try to write into a bad
   memory zone (0x00000000)
- if "value" is big but is allocable, memcpy() will fail because the
   value is bigger than the packet so it will try to read from the
   unallocated memory after the data


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/chromeboom.zip


#######################################################################

======
4) Fix
======


No fix.
Developers talked about the patching of their online servers and about
an eventual patch for users within over 2 weeks ago, but nothing has
been released yet and there are no informations from them.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC