Limited \secure\ buffer-overflow in some old Monolith games

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: Limited \secure\ buffer-overflow in some old Monolith games
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Fri, 8 Oct 2004 19:11:20 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Applications: Some old games developed by Monolith
              http://www.lith.com
Versions:     - Alien versus Predator 2                      <= 1.0.9.6
              - Blood 2                                      <= 2.1
              - No one lives forever                         <= 1.004
              - Shogo                                        <= 2.2
Platforms:    Windows
Bug:          limited buffer overflow
Exploitation: remote, versus server
Date:         08 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.


#######################################################################

======
2) Bug
======


The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.

The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/lithsec.zip


#######################################################################

======
4) Fix
======


No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.

Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:

 Alien versus Predator 2   1.0.9.6
    http://aluigi.altervista.org/patches/avp2-1096-fix.zip

 Blood 2                   2.1
    http://aluigi.altervista.org/patches/blood2-21-fix.zip

 No one lives forever      1.004
    http://aluigi.altervista.org/patches/nolf1004-fix.zip

 Shogo                     2.2
    http://aluigi.altervista.org/patches/shogo22-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Prev by Date: TSLSA-2004-0053 - cyrus-sasl
Next by Date: ASP.NET cannonicalization issue
Previous by thread: TSLSA-2004-0053 - cyrus-sasl
Next by thread: ASP.NET cannonicalization issue
Index(es):
- Date
- Thread