SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Soldier of Fortune II Vendors:   Raven Software
Soldier of Fortune II cl_guid Input Validation Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1013291
SecurityTracker URL:  http://securitytracker.com/id/1013291
CVE Reference:   CVE-2005-0568   (Links to External Site)
Updated:  Feb 28 2005
Original Entry Date:  Feb 24 2005
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.03 gold and prior versions
Description:   Luigi Auriemma reported a vulnerability in Soldier of Fortune II. A remote user can cause the target game service to crash.

A remote user can send a specially crafted cl_guid value to trigger a memory access error and cause the game server to crash.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/sof2guidboom.zip

Impact:   A remote user can cause the target game server to crash.
Solution:   No solution was available at the time of this entry.

An unofficial workaround is available at:

http://aluigi.altervista.org/patches/sof2-103-guidfix.zip

Vendor URL:  sof2.ravensoft.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  In-game cl_guid crash in Soldier of Fortune II 1.03



#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://sof2.ravensoft.com
Versions:     <= 1.03 gold
Platforms:    Windows, Linux and MacOS
Bug:          crash caused by invalid memory pointer
Exploitation: remote, versus server (partially in-game)
Date:         24 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released in May 2002.


#######################################################################

======
2) Bug
======


The problem is a crash of the server caused by the access to a wrong
zone of the memory that happens after the handling of a big cl_guid
value passed by the client.

This is a partial in-game bug in fact the attacker must have access to
the server (so if his IP has been banned he cannot access) but he can
attack also servers protected by password without knowing the right
keyword.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/sof2guidboom.zip


#######################################################################

======
4) Fix
======


No fix.
The game is still "officially" unpatched from months so it can be
declared no longer supported.

I have been able to create a work-around only for the Windows version
to check the length of the cl_guid value and reject the clients that
send a value bigger than 64 bytes (the max size of the cl_guid buffer):

  http://aluigi.altervista.org/patches/sof2-103-guidfix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC