<<< Date Index >>>     <<< Thread Index >>>

Broadcast memory corruption in Soldier of Fortune II 1.03



#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://sof2.ravensoft.com
Versions:     <= 1.03 gold
Platforms:    Windows, Linux and MacOS
Bug:          memory corruption
Exploitation: remote, versus server and clients (broadcast)
Date:         23 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and released at May 2002.


#######################################################################

======
2) Bug
======


The game is affected by a sprintf() overflow when handles a too big
valid query or reply (in case it acts as server or client), but doesn't
seem possible to execute remote code.

The effects on the server can be the immediate match interruption
(shutdown) caused by the overwriting of some game data or the crash
(that doesn't happen on the Linux dedicated server) depending by the
amount of data received from the attacker.

A worst effect instead happens on clients, in fact the type and the
location of the vulnerability lets a single attacker (visible in the
online master server list) to passively crash any client in the world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/sof2boom.zip


#######################################################################

======
4) Fix
======


No fix.
The developers have not replied to my mails, so I have created a
workaround (limiting from 1024 to 512 the amount of managed data) that
fixes both the client and server bug and can be applied to the Windows
version and to the Linux dedicated server:

  http://aluigi.altervista.org/patches/sof2-103-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org