Buffer-overflow in Tincat 2 minor than 2.0.28 (Sacred, Settlers 5 and others)
#######################################################################
Luigi Auriemma
Application: Tincat network library
http://www.tincat.de
Versions: Release 2 < 2.0.28
Release 1 should be not vulnerable
Games: - Sacred <= 1.8.2.6
- The Settlers: Heritage of Kings <= 1.02
- other applications, a partial list in german is
available at the following link but I cannot confirm if
they are vulnerable:
http://www.tincat.de/index.php?topic=5
Platforms: Windows, Linux and Sun Solaris
Bug: buffer-overflow
Exploitation: remote, versus server
Date: 28 Mar 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Tincat is a network library for games and has been developed by the
german guys of Instance Four (http://www.instancefour.com).
It is used in some games like the recents and well known Sacred
(http://www.sacred-game.com) and The Settlers: Heritage of Kings
(http://www.thesettlers.com).
#######################################################################
======
2) Bug
======
The library is affected by a buffer-overflow in the function that logs
the players entered in the server letting an attacker to execute
malicious code on the victim system.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/tincat2bof.zip
#######################################################################
======
4) Fix
======
The library has been patched from build 28 (2.0.28).
Actually "The Settlers: Heritage of Kings" 1.03 is the only game that
uses the new patched library.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org