Buffer-overflow in the Asura engine

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Buffer-overflow in the Asura engine
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Thu, 23 Aug 2007 01:13:28 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  Asura engine (network SDK)
              http://www.rebellion.co.uk
Games:        Rogue Trooper                                      <= 1.0
              Prism: Guard Shield                            <= 1.1.1.0
              ...possibly others...
Platforms:    Windows
Bug:          challenge buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         22 Aug 2007
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Asura is a game engine written by Rebellion and used in their games.
Rogue Trooper and Prism are the only two games (as far as I know) which
use the new network protocol which leads to the vulnerability reported
in this advisory, the older games were based on DirectPlay (Judge
Dredd) and Gamespy SDK (Sniper Elite).


#######################################################################

======
2) Bug
======


A buffer-overflow vulnerability is located in the function which
handles the 0xf007 packet used for the challenge B query.
In this function the data passed by the client is copied (without
checks on its length) to a stack buffer of 256 bytes used for sending
the data back to the client, something similar to a ping.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/asurabof.zip


#######################################################################

======
4) Fix
======


No fix.
Rebellion is one of those vendors which have never replied to my past
mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Prev by Date: Re: SYMSA-2007-007: Palm OS Treo Smartphone Denial of Service
Next by Date: Re: Vulnerabilities digest
Previous by thread: Olate Download 3.4.2~download.php ~ sql injection
Next by thread: [ GLSA 200708-16 ] Qt: Multiple format string vulnerabilities
Index(es):
- Date
- Thread