Remote crash of Chaser game <= 1.50
#######################################################################
Luigi Auriemma
Application: Chaser
http://www.chasergame.com
Versions: <= 1.50
Platforms: Windows
Bug: crash (reading of unallocated memory)
Risk: high
Exploitation: remote, both server and client are vulnerables
Date: 03 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.
#######################################################################
======
2) Bug
======
The structure of a Chaser packet is like the following:
00 00 00 00 00 ff 00 00
| |
| size of the data starting at offset 14
16 bit checksum
http://aluigi.altervista.org/papers/chaser_crc.h
The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:
:0050C89F F3A5 rep movsd
#######################################################################
===========
3) The Code
===========
To test the Chaser server:
http://aluigi.altervista.org/poc/chasercrash.zip
The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:
http://aluigi.altervista.org/poc/chaser-client.zip
#######################################################################
======
4) Fix
======
No fix.
Cauldron has not replied to my mails.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org