Purge Jihad Broadcast Response Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009073
|
|
CVE Reference: CAN-2004-0290
(Links to External Site)
|
Updated: Mar 26 2004
|
Original Entry Date: Feb 16 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.1 and prior versions (also affecting Purge 1.4.7 and prior versions)
|
Description: A buffer overflow vulnerability was reported in the Purge and Purge Jihad games. A remote game server can execute arbitrary code on a connected client system.
Luigi Auriemma reported that when a client sends a broadcast query to available game servers, a game server can respond with a specially
crafted packet to trigger a buffer overflow and execute arbitrary code on the client system.
The 'battle type' and 'map name'
fields are reportedly limited to 64 bytes but can be overflowed.
Some demonstration exploit code is available at:
http://aluigi.altervista.org/poc/purge-cbof.zip
|
Impact: A remote game server can execute arbitrary code on a target client system when the target system broadcasts to the game server.
|
Solution: The vendor has released a fixed version (2.0.2), available at:
http://www.purgeonline.net/download.shtml
|
Vendor URL: www.purgeonline.net/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 16 Feb 2004 08:57:20 -0500
Subject: http://aluigi.altervista.org/adv/purge-cbof-adv.txt
|
http://aluigi.altervista.org/adv/purge-cbof-adv.txt
#######################################################################
Luigi Auriemma
Applications: Purge and Purge Jihad
http://www.purgeonline.net
Versions: Purge <= 1.4.7
Purge Jihad <= 2.0.1
Platforms: Windows
Bug: broadcast client's buffer overflow
Risk: highly critical
Exploitation: remote, versus clients (broadcast)
Date: 16 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Purge Jihad is a game developed by Freeform Interactive using the
Lithtech Talon graphic engine:
"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the
near future accounting a war between the diametrically opposed forces
of science-fiction (the Order) and fantasy (the Chosen)"
#######################################################################
======
2) Bug
======
The bug is a "broadcast" buffer-overflow affecting clients.
In fact each client that enters in the multiplayer screen automatically
contacts the master server and then sends a query to each available
online game server to know informations about the current match running
on it.
The attacker'server must simply reply to clients'requests with an
information packet containing 2 big fields: battle type and map name.
These fields in fact are managed by a vulnerable function that copies
the provided strings in a 64 bytes buffer not able to contain the
maximum size of 256 bytes of each field.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/purge-cbof.zip
#######################################################################
======
4) Fix
======
Purge Jihad 2.0.2
#######################################################################
|
|
