SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Armagetron Vendors:   armagetron.sourceforge.net
Armagetron Game Service Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1013180
SecurityTracker URL:  http://securitytracker.com/id/1013180
CVE Reference:   CVE-2005-0369, CVE-2005-0370, CVE-2005-0371   (Links to External Site)
Date:  Feb 15 2005
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.2.6.0 and prior versions
Description:   Several vulnerabilities were reported in Armagetron. A remote user can cause the target game service to crash.

A remote user can send a packet with a specially crafted descriptor ID with an ID value that is greater than 400 to trigger an array overflow and cause the game to crash [CVE: CVE-2005-0369].

A remote user can also send a large claim_id to trigger an overflow in the ANET_AddrCompare() function.

A remote user can send an empty UDP packet to cause the target service to enter a wait state and fail to service any other packets until a new map starts [CVE: CVE-2005-0370].

A demonstration exploit for the three previous denial of service vulnerabilities is available at:

http://aluigi.altervista.org/poc/atronboom.zip

A remote user can also cause the game server and all connected game clients to freeze by making a large number of [fake] players join the game [CVE: CVE-2005-0371].

A demonstration exploit is available at:

http://aluigi.altervista.org/fakep/atronfp.zip

Luigi Auriemma reported this vulnerability.

Impact:   A remote user can cause the target game service to crash.
Solution:   No solution was available at the time of this entry. The software is no longer supported by the vendor.
Vendor URL:  armagetron.sourceforge.net/ (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0



#######################################################################

                             Luigi Auriemma

Application:  Armagetron
                http://armagetron.sourceforge.net
              Armagetron Advanced
                http://armagetronad.sourceforge.net
Versions:     Armagetron          <= 0.2.6.0
              Armagetron Advanced <= 0.2.7.0
Platforms:    multiplatform (Windows, Linux and others)
Bugs:         A] crash caused by big descriptor ID
              B] crash caused by big claim_id
              C] socket unreacheable through empty packet
              D] fake players temporary freeze
Exploitation: remote, versus server
Date:         10 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Armagetron is the well known and played opensource multiplayer game
developed by Manuel Moos.
Recently the project Armagetron (until version 0.2.6.0) has been
declared dead and is unofficial successor is Armagetron Advanced.


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] crash caused by big descriptor ID
------------------------------------

The game uses an array of 400 descriptors, but clients can pass their
descriptor ID using 16 bits numbers (so until 65535).
In short a packet with an ID major than 400 is able to crash the server
due to the access to an unallocated zone of the array.


-------------------------------
B] crash caused by big claim_id
-------------------------------

Just like the bug described before, exists a problem in the calling of
the ANET_AddrCompare() function where is passed the peers structure (an
array of 18 elements) pointing to the 16 bits value passed by the
client at the end of his packet.


-------------------------------------------
C] socket unreacheable through empty packet
-------------------------------------------

The game uses asynchronous sockets through the usage of FIONREAD that
returns the number of bytes received in the last packet (0 if there are
no new packets).
If the server receives an empty UDP packet it will continue to check
the socket's queue infinitely since there are still 0 bytes and in the
meantime it cannot handle other packets so all the clients will be
automatically disconnected from him.
The situation returns normal only when a new map starts and, so, the
socket is recreated.


--------------------------------
D] fake players temporary freeze
--------------------------------

Simple, the server and any connected client freeze completely if too
much players join and don't send data (time out). So an attacker can
fill the server with fake players and when a new map starts (races on
Armagetron are enough shorts) nobody will be able to play in that
server.


#######################################################################

===========
3) The Code
===========


A, B, C] http://aluigi.altervista.org/poc/atronboom.zip

D]       http://aluigi.altervista.org/fakep/atronfp.zip


#######################################################################

======
4) Fix
======


No fix.
I reported the bugs A and D to the author many months ago but then I
lost any contact with him.
I have sent a mail to 2 of the new programmers of the Armagetron
Advanced project explaining all the bugs but have received no reply.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC