SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Terminator 3 War of the Machines Vendors:   Atari
'Terminator 3: War of the Machines' Game Buffer Overflow Lets Servers Execute Arbitrary Code on Connected Clients
SecurityTracker Alert ID:  1009498
SecurityTracker URL:  http://securitytracker.com/id/1009498
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 19 2004
Impact:   Denial of service via network, Execution of arbitrary code via local system, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0
Description:   Luigi Auriemma reported a buffer overflow in the 'Terminator 3: War of the Machines' game. A remote server can cause a connected client to execute arbitrary code.

It is reported that a remote server can supply a specially crafted reply to a connected client to trigger an overflow in the statically sized ServerInfoTemp variable. As a result, the game can be crashed. It may also be possible to execute arbitrary code.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/t3cbof.zip

The vendor has reportedly been notified.

Impact:   A remote game server can execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.t3war.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Broadcast client buffer-overflow in Terminator 3 1.0



#######################################################################

                              Luigi Auriemma

Application:  Terminator 3: War of the Machines
               http://www.t3war.com
Versions:     1.0
Platforms:    Windows
Bug:          broadcast client's buffer-overflow
Risk:         very high
Exploitation: remote and automatic, versus clients
Date:         19 Mar 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Terminator 3: War of the Machines" is a multiplayer FPS game developed
by Clevers (http://www.clevers.com) and based on the homonym Swarzy's
movie.


#######################################################################

======
2) Bug
======


The bug is a broadcast buffer-overflow affecting clients.
Everytime a user enters in the multiplayer menu, the game contacts the
master server and then each online server automatically.
The bug happens during the usage of some vulnerable instructions that
are exactly the following:

     char ServerInfoTemp[200];
     ...
     for (int i = 0; i < strlen(ServerInfo); i++) {
         ServerInfoTemp[i] = toupper(ServerInfo[i]);
     }

They get a string (ServerInfo) previously generated with the server's
IP and port and all the values in its reply, after which they put this
string into a new smaller buffer (ServerInfoTemp) converting the chars
to upper case.

The effects of this bug are the usual 2 known problems:

- automatic buffer-overflow (here with the upper-case limitation)
- network Denial of service, nobody can use the game online

For who wanna see the problem at runtime, the vulnerable instructions
in the executable of the pre-release demo are the loop between 004953d4
and 004953fe.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/t3cbof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers promised a patch a lot of times (for 3 months) but it has
not been released yet.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC