Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Socket unreacheable in Amp II engine

Socket unreacheable in Amp II engine

From: Luigi Auriemma <aluigi_at_autistici.org>
Date: Thu, 6 Jan 2005 18:45:24 +0000

#######################################################################

                             Luigi Auriemma

Application: Amp II 3D engine
              http://www.4drulers.com/amp.html
Versions: any version since there is no patch available
Games: Gore: Ultimate Soldier <= 1.50
              ... possibly others ...
Platforms: Windows
Bug: socket unreacheable
Exploitation: remote, versus server
Date: 06 Jan 2005
Author: Luigi Auriemma
              e-mail: aluigi_at_autistici.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Amp II engine is a game engine developed by 4d Rules
(http://www.4drulers.com) and Slam Software
(http://www.slamsoftware.com).
The only game released using this engine seems to be Gore
(http://www.4drulers.com/gore/) dated June 2002.

#######################################################################

======
2) Bug
======

The code used by the engine to handle UDP packets is similar to the
following:

  if(select(sock, &read_set, NULL, NULL, &timeout_zero)
    < 0) socket_error();
  ...
  if(ioctlsocket(sock, FIONREAD, &packet_length)
    < 0) socket_error();
  if(packet_length) {
    // read socket data
  }

The problem is just in the if(packet_length) check (meaning "if
packet_length is different than zero") because FIONREAD is used to
retrieve the size of the first packet in the socket's queue so if an
attacker sends an UDP packet of zero bytes to the server, packet_length
will continue to be equal to zero and the if(packet_length) check will
be messed entering in an infinite loop that will handle ever the same
empty UDP packet but without reading its content and freeing the
socket's queue.

In short, an UDP packet of zero bytes is able to silently interrupt the
match on the server.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/amp2zero.zip

#######################################################################

======
4) Fix
======

The Amp II engine is no longer supported and probably will be released
a patch for Gore in future.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org
Received on Jan 06 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]