SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Warrior Kings Vendors:   Empire Interactive
Warrior Kings Game Format String Flaw May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014040
SecurityTracker URL:  http://securitytracker.com/id/1014040
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 24 2005
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.3 and prior versions
Description:   Luigi Auriemma reported a vulnerability in the 'Warrior Kings' game software. A remote user may be able to execute arbitrary code on the target system.

The game software contains a format string flaw in the processing of screen text. A remote user can send a specially crafted nickname (for example) to trigger this flaw and potentially execute arbitrary code on the target system.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/warkingsfs.zip

Impact:   A remote user may be able to execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Cause:   Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Format string and crash in Warrior Kings 1.3 and Battles 1.23



#######################################################################

                             Luigi Auriemma

Application:  Warrior Kings: Battles
                http://www.warriorkingsbattles.com
              Warrior Kings
               
http://www.empireinteractive.com/games/product.asp?PID=CCD3E776-8DDB-4A4C-8A19-922D58804A24
Versions:     Warrior Kings: Battles <= 1.23
              Warrior Kings          <= 1.3
Platforms:    Windows
Bugs:         A] format string
              B] crash
Exploitation: remote, versus server
Date:         23 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Warrior Kings: Battles is a real-time strategy game developed by
Black Cactus (http://www.blackcactus.co.uk) and released in March 2003.
The game is published by Empire Interactive and Strategy First.

Warrior Kings instead is published by Microids and Empire Interactive
and has been released exactly one year before its successor.


#######################################################################

=======
2) Bugs
=======

----------------
A] format string
----------------

The game is affected by a format string bug in the function used to
visualize the text on the screen. The best and simplest way to exploit
the bug is through a malformed nickname.
The only limitation is that the attacker cannot exploit the bug if the
server is locked.


--------
B] crash
--------

A partial join packet causes the crash of the server due to the access
to a NULL pointer.
Only Warrior Kings Battles seems affected by this problem.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/wkbbugs.zip
http://aluigi.altervista.org/poc/warkingsfs.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the vendor.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC