SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Soldier of Fortune II Vendors:   Raven Software
Soldier of Fortune II Buffer Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID:  1012316
SecurityTracker URL:  http://securitytracker.com/id/1012316
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 24 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.03 gold and prior versions
Description:   Luigi Auriemma reported a vulnerability in Soldier of Fortune II. A remote user can trigger a buffer overflow to cause the game service to shutdown or crash.

It is reported that a remote user can send a specially crafted query (to a server) or reply (to a client) to trigger the buffer overflow. A remote user can cause multiple clients to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/sof2boom.zip

Impact:   A remote user can cause the game service to shutdown or crash.
Solution:   No vendor solution was available at the time of this entry.

An unofficial workaround for the Windows version and the Linux dedicated server are available at:

http://aluigi.altervista.org/patches/sof2-103-fix.zip

Vendor URL:  sof2.ravensoft.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Broadcast memory corruption in Soldier of Fortune II 1.03



#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://sof2.ravensoft.com
Versions:     <= 1.03 gold
Platforms:    Windows, Linux and MacOS
Bug:          memory corruption
Exploitation: remote, versus server and clients (broadcast)
Date:         23 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released at May 2002.


#######################################################################

======
2) Bug
======


The game is affected by a sprintf() overflow when handles a too big
valid query or reply (in case it acts as server or client), but doesn't
seem possible to execute remote code.

The effects on the server can be the immediate match interruption
(shutdown) caused by the overwriting of some game data or the crash
(that doesn't happen on the Linux dedicated server) depending by the
amount of data received from the attacker.

A worst effect instead happens on clients, in fact the type and the
location of the vulnerability lets a single attacker (visible in the
online master server list) to passively crash any client in the world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/sof2boom.zip


#######################################################################

======
4) Fix
======


No fix.
The developers have not replied to my mails, so I have created a
workaround (limiting from 1024 to 512 the amount of managed data) that
fixes both the client and server bug and can be applied to the Windows
version and to the Linux dedicated server:

  http://aluigi.altervista.org/patches/sof2-103-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC