Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Limited \secure\ buffer-overflow in some old Monolith games
From: Luigi Auriemma <aluigi () autistici org>
Date: Fri, 8 Oct 2004 19:11:20 +0000


#######################################################################

                             Luigi Auriemma

Applications: Some old games developed by Monolith
              http://www.lith.com
Versions:     - Alien versus Predator 2                      <= 1.0.9.6
              - Blood 2                                      <= 2.1
              - No one lives forever                         <= 1.004
              - Shogo                                        <= 2.2
Platforms:    Windows
Bug:          limited buffer overflow
Exploitation: remote, versus server
Date:         08 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi () altervista org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Monolith is the developer of the famous Lithtech engine.
The games affected by the bug I'm going to explain have been released
before the 2002 but are still very played online.


#######################################################################

======
2) Bug
======


The bug is a classical buffer-overflow happening when an attacker sends
a \secure\ Gamespy query followed by at least 68 chars.

The limitation of this vulnerability is in the bytes that overwrite the
small buffer because only those from 0x20 to 0x7f are allowed while the
others are truncated during some internal steps.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/lithsec.zip


#######################################################################

======
4) Fix
======


No official fix, probably these games are no longer supported and,
however, I have received no reply from the developers.

Fortunately creating a work-around for this bug is very easy because is
only needed to set the "secure" string to NULL.
The following are my unofficial patches:

 Alien versus Predator 2   1.0.9.6
    http://aluigi.altervista.org/patches/avp2-1096-fix.zip

 Blood 2                   2.1
    http://aluigi.altervista.org/patches/blood2-21-fix.zip

 No one lives forever      1.004
    http://aluigi.altervista.org/patches/nolf1004-fix.zip

 Shogo                     2.2
    http://aluigi.altervista.org/patches/shogo22-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Limited \secure\ buffer-overflow in some old Monolith games Luigi Auriemma (Oct 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault