SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Painkiller Vendors:   People Can Fly
Painkiller Game Buffer Overflow Lets Remote Users Corrupt Memory on the Target System
SecurityTracker Alert ID:  1011044
SecurityTracker URL:  http://securitytracker.com/id/1011044
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 24 2004
Impact:   Denial of service via network, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.3.1 and prior versions
Description:   Luigi Auriemma reported a vulnerability in Painkiller. A remote user may be able to cause the game to crash.

It is reported that a remote user can send the Painkiller server a specially crafted encoded password value to trigger a buffer overflow in the target server. A password that is longer than 256 characters can trigger the flaw. The report indicates that because of the encoding algorithm, it appears that only bytes 0x00 through 0x3f can be used to overwrite memory, making arbitrary code execution not possible (or at least difficult).

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/painkex.zip

The vendor has reportedly been notified.

Impact:   A remote user can corrupt memory on the target system, potentially causing the game service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.painkillergame.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Limited buffer overflow in Painkiller 1.31



#######################################################################

                             Luigi Auriemma

Application:  Painkiller
              http://www.painkillergame.com
Versions:     <= 1.3.1
Platforms:    Windows
Bug:          memory corruption with limited code execution
Risk:         medium/high
Exploitation: remote, versus server
Date:         24 August 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Painkiller is a famous FPS game developed by People can Fly
(http://www.peoplecanfly.com) and released in April 2004.


#######################################################################

======
2) Bug
======


The handshake to join a Painkiller server is composed by 3 packets:
- a connection request from the client (ID 0x02)
- a challenge key from the server (ID 0x03) used for the calculation of
  both the Gamespy cd-key authorization string
  (http://aluigi.altervista.org/papers/gskey-auth.txt) and the password
  used to access protected game servers
- the client's packet used to join (ID 0x04) and containing its game
  version, the Gamespy cd-key auth string, the password (if needed) and
  some other informations

The problem is just in the password field (read by both protected and
non-protected game servers), in fact it is encoded using a specific
algorithm and the challenge string received from the server, but when
the server tries to "unscramble" a too long password (over 256 chars)
some important memory zones are overwritten.
The full optimized encoding/decoding algorithm is available here:
  http://aluigi.altervista.org/papers/painkiller_pckpwd.h

Due to the type of encoding algorithm and the type of bug seems not
possible to fully execute remote code (at least not easily) because the
return address can be overwritten only by the bytes allowed in an
intermediate step of the password decoding, so from 0x00 until 0x3f.
Is possible that exist other exploitation methods however I have found
only this one that has this limitation.


#######################################################################

===========
3) The Code
===========


  http://aluigi.altervista.org/poc/painkex.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have been contacted over one month ago but the patch (that
is ready) has not been released yet.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC