Endless loop in NetPanzer 0.8

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: Endless loop in NetPanzer 0.8
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Wed, 13 Jul 2005 21:31:54 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  NetPanzer
              http://netpanzer.berlios.de
Versions:     <= 0.8
Platforms:    Windows, Linux and Mac
Bugs:         endless loop
Exploitation: remote, versus server (and clients also if useless)
Date:         13 Jul 2005
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


NetPanzer is an open source multiplayer tactical game enough known and
played.


#######################################################################

======
2) Bug
======


The network code doesn't verify the correctness of the 16 bit number
containing the size of the entire data block received from the network.
If an attacker sends the number 0x0000 (the minimum should be 0x0002)
the game enters in an endless loop and nobody can play.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/panzone.zip


#######################################################################

======
4) Fix
======


The SVN version of the game has been fixed:

  http://developer.berlios.de/svn/?group_id=1250


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org

Prev by Date: Advisory: Oracle JDeveloper Plaintext Passwords
Next by Date: [ GLSA 200507-12 ] Bugzilla: Unauthorized access and information disclosure
Previous by thread: Advisory: Oracle JDeveloper Plaintext Passwords
Next by thread: [ GLSA 200507-12 ] Bugzilla: Unauthorized access and information disclosure
Index(es):
- Date
- Thread