Endless loop and resources consumption in Halo 1.0.7.0615
#######################################################################
Luigi Auriemma
Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspx
Versions: <= 1.0.7.0615 (before 30 Jul 2008)
Platforms: Windows
Bugs: A] endless loop
B] resources consumption
Exploitation: remote, versus server
Date: 06 Aug 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
Although it has been released at the end of 2003, it's still one of the
most played games with hundreds of internet servers.
#######################################################################
=======
2) Bugs
=======
---------------
A] endless loop
---------------
The Halo server is affected by a problem in the handling of a type of
packet which can cause the bypassing of a check used to avoid the
reading of data outside the packet.
The result is an endless loop which freezes the application with CPU at
100%.
------------------------
B] resources consumption
------------------------
When a client occupies the player's slot after joininig the match, the
Halo server continues to send packets to it forever because it stops
only if an ICMP "destination unreachable" or a disconnection packet is
received (doesn't exist a timeout, this is the cause of the problem).
This has been tested personally by me and after a week I was still
receiving these packets because many servers have firewalls which block
ICMP and so there is no way to stop this problem except restarting the
server.
If the player has not occupied the slot yet (so before the handshake
performed by the Gamespy SDK), the sending of packets made by the
server is only 60 seconds long.
So if an attacker has disabled the outgoing ICMP packets, which is
default on any Windows with the firewall activated, he can consume a
part of the network bandwidth of the server and mainly its memory with
the consequent possible crash or hanging of the application.
Note that, as already said, a handshake is required for occupying the
slot so is not possible to spoof the packets which instead is possible
for the second method of the 60 seconds.
#######################################################################
===========
3) The Code
===========
A] http://aluigi.org/poc/haloloop3.zip
B] http://aluigi.org/poc/halonso.zip
#######################################################################
======
4) Fix
======
The hotfix released the 30th July 2008 solves these problems.
Note that this hotfix has the same version number of the previous one
released a month before for the haloloop2 bug: 1.0.7.0615.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://backup.aluigi.org
http://mirror.aluigi.org