SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Monolith Games (Various) Vendors:   Monolith Productions, Inc.
Monolith Games Have Buffer Overflow in '/secure/' Command That Lets Remote Users Crash the Game
SecurityTracker Alert ID:  1011603
SecurityTracker URL:  http://securitytracker.com/id/1011603
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 11 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   Luigi Auriemma reported some buffer overflow vulnerabilities in several Monolith games. A remote user can cause the game to crash and may be able to execute arbitrary code.

It is reported that a remote user can send a '\secure\' Gamespy query followed by 68 characters or more to trigger a buffer overflow. Only certain bytes can be used in overwriting the buffer.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/lithsec.zip

Affected games and versions include Alien versus Predator 2 (1.0.9.6 and prior versions), Blood 2 (2.1 and prior versions), No one lives forever (1.004 and prior versions), and Shogo (2.2 and prior versions).

The vendor was notified without response.

Impact:   A remote user can cause the game to crash. A remote user may be able to execute arbitrary code on the target system.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided unofficial patches.

For Alien versus Predator 2 1.0.9.6:

http://aluigi.altervista.org/patches/avp2-1096-fix.zip

For Blood 2 2.1:

http://aluigi.altervista.org/patches/blood2-21-fix.zip

For No one lives forever 1.004:

http://aluigi.altervista.org/patches/nolf1004-fix.zip

For Shogo 2.2:

http://aluigi.altervista.org/patches/shogo22-fix.zip

Vendor URL:  www.lith.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Limited \secure\ buffer-overflow in some old Monolith games



#######################################################################

                             Luigi Auriemma

Applications: Some old games developed by Monolith
              http://www.lith.com
Versions:     - Alien versus Predator 2                      <= 1.0.9.6
              - Blood 2                                      <= 2.1
              - No one lives forever                         <= 1.004
              - Shogo                                        <= 2.2
Platforms:    Windows
Bug:          limited buffer overflow
Exploitation: remote, versus server
Date:         08 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.


#######################################################################

======
2) Bug
======


The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.

The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/lithsec.zip


#######################################################################

======
4) Fix
======


No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.

Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:

 Alien versus Predator 2   1.0.9.6
    http://aluigi.altervista.org/patches/avp2-1096-fix.zip

 Blood 2                   2.1
    http://aluigi.altervista.org/patches/blood2-21-fix.zip

 No one lives forever      1.004
    http://aluigi.altervista.org/patches/nolf1004-fix.zip

 Shogo                     2.2
    http://aluigi.altervista.org/patches/shogo22-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC