<<< Date Index >>>     <<< Thread Index >>>

Serious Sam is not so serious



#######################################################################

                             Luigi Auriemma

Application:  Serious Sam engine
              http://www.seriousengine.com
Versions:     Versions using TCP protocol in multiplayer:
              - SeriousSam: the First Encounter <= 1.05
              - SeriousSam: the Second Encounter <= 1.05 (1.07 is NOT
                vulnerable)
              - Demos of Serious Sam test 2 2.1a and the demo of the
                Second encounter (oh yeah they are demos but there are
                people that use them)
              - probably also other games based on this engine but I
                wasn't able to test them
Platforms:    Windows
Bug:          Remote crash of the server caused by malformed data
Risk:         Medium
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Serious Sam engine is the great game's engine developed by Croteam.
The games based on this engine are "Serious Sam: the first encounter",
"Serious Sam: the second encounter", "Deer Hunter 2003" and
"Carnivores: Cityscape" (probably others?).

As said in the header of this advisory, ONLY the games or the versions
of the engine that use the TCP protocol are vulnerables, in fact the
version 1.07 of "Serious Sam: the second encounter" (patch released
over one year and half ago) makes the game incompatible with older
versions because it uses TCP instead of UDP.
This version is NOT vulnerable.

I have tested also the Linux beta version of "Serious Sam: the first
encounter" that uses UDP and in fact it is NOT vulnerable (instead the
Win32 version uses TCP and IS vulnerable).




#######################################################################

======
2) Bug
======


The bug is a remote crash or freeze of the server caused by a malformed
parameter in the data sent by the client.
The following is an example of the original data:

"\x1f\x00\x00\x00"
"\x40\xE1\xDE\x03\xFB\xCA\x2A\xBC\x83\x01\x00\x00\x07\x47\x41\x54"
"\x56\x10\x27\x00\x00\x05\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01"
"\x00\x00\x00\xA0\x0F\x00\x00\x64\x00\x00\x00"


The first parameter, 0x0000001f, probably is the size of the data that
follows it or something similar and if you modify it the server will
have some different "bad" effects.

For example values over 0x81000000 crash the server and other values
like 0xfffffff0 instead freeze it.




#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/ssboom.zip



#######################################################################

======
4) Fix
======


- "Serious Sam: the first encounter":
  No fix.
  I have tried to contact Croteam without success, then seems there is
  no more support for the Serious Sam games.


- "Serious Sam: the second encounter":
  Simply use the 1.07 patch already available by long time.
  During my tests I have seen (and not only seen eh eh eh) a lot of
  people using the 1.05 version yet, so don't lost time and update this
  fantastic game!!!


- Other games:
  I don't have and I have not tested other games (causes: no demo or
  demo doesn't support multiplayer or there were no servers online) so
  I'm not sure if they are vulnerables or not.



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org