Multiple vulnerabilities in Yager 5.24
#######################################################################
Luigi Auriemma
Application: Yager
http://www.yager-game.de
Versions: <= 5.24
Platforms: Windows
Bugs: A] nickname buffer-overflow
B] data block buffer-overflow
C] freeze caused by incomplete data block
D] various crashes caused by corrupted data
Exploitation: remote, versus server and clients
Date: 14 Apr 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Yager is a futuristic air combat game developed by Yager Development
(http://www.yager.de) and published by THQ (http://www.thq.de) and
DreamCatcher Interactive (http://www.dreamcatchergames.com).
It has been released in September 2003.
Note: this game uses only LAN and direct IP multiplayer so doesn't
exist a master server with the list of online servers (contrary to
almost all the existent multiplayer games).
#######################################################################
=======
2) Bugs
=======
---------------------------
A] nickname buffer-overflow
---------------------------
The game is affected by a buffer-overflow in the nickname field (ID
0x1e) that can allow an attacker to execute malicious code.
-----------------------------
B] data block buffer-overflow
-----------------------------
The buffer used to receive the data from the socket is 256 bytes long
while the maximum size of the data block is 65536 (a 16 bit number)
causing a buffer-overflow.
-----------------------------------------
C] freeze caused by incomplete data block
-----------------------------------------
The server and the clients connected to it can be easily freezed
through the sending of incomplete data. The problem is that the game is
synchronized with the receiving of the network data so it is blocked
until all the expected data is received.
For example, the header of the data blocks is 10 bytes long so if we
send 9 or less bytes we are able to freeze the game.
-------------------------------------------
D] various crashes caused by corrupted data
-------------------------------------------
The game doesn't use enough checks to verify the correctness of the
data received so is possible to cause various crashes through the usage
of malformed data.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/yagerbof.zip
#######################################################################
======
4) Fix
======
No fix.
A patch should be released soon.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org