SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Painkiller Vendors:   People Can Fly
Painkiller Buffer Overflow in Processing Gamespy cd-key Hash Value Lets Remote Users Crash the Game
SecurityTracker Alert ID:  1013066
SecurityTracker URL:  http://securitytracker.com/id/1013066
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 2 2005
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.35 and prior versions
Description:   Luigi Auriemma reported a buffer overflow vulnerability in the Painkiller game software. A remote user can crash the game service.

A remote user can supply a specially crafted Gamespy cd-key hash value that is longer than 100 bytes to trigger a buffer overflow. Characters that can be used in the value are limited to alphanumeric characters.

A remote user can cause the target game service to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/painkkeybof.zip

Impact:   A remote user can cause the target game service to crash.
Solution:   The vendor has issued a fixed version (1.61).
Vendor URL:  www.painkillergame.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Limited buffer-overflow in Painkiller 1.35



#######################################################################

                             Luigi Auriemma

Application:  Painkiller
              http://www.painkillergame.com
Versions:     <= 1.35
Platforms:    Windows
Bug:          limited buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         02 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Painkiller is the great FPS game developed by People can Fly
(http://www.peoplecanfly.com) and released in April 2004.


#######################################################################

======
2) Bug
======


The bug is about the buffer that must contain the Gamespy cd-key hash
for the online server-side authorization.
This buffer is limited to 100 bytes (the Gamespy cd-key hash is long
72 chars), so if an attacker uses a longer hash will be able to
overflow the buffer.

However exist two limitations for the exploitation of this bug, the
first is that only alpha-numeric chars are allowed (1-9, A-Z and a-z)
while the second is not so important since this is an in-game bug, so
if a server is protected by password the attacker must know it.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/painkkeybof.zip


#######################################################################

======
4) Fix
======


Version 1.61.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC