blizzard-dos.txt

2007-08-30T00:00:00
ID PACKETSTORM:58947
Type packetstorm
Reporter Gynvael Coldwind
Modified 2007-08-30T00:00:00

Description

                                        
                                            `HISPASEC  
Security Advisory  
http://blog.hispasec.com/lab/  
  
Name : Blizzard StarCraft Brood War Remote DoS  
Class : Remote/Local DoS  
Threat level : MED  
Discovered : 2007-08-08  
Published : 2007-08-29  
Credit : Gynvael Coldwind  
Vulnerable : StarCraft Brood War 1.15.1 and prior  
StarCraft 1.15.1 and prior may also be affected  
  
  
== Abstract ==  
  
StarCraft is a real-time strategy game by Blizzard Entertainment.  
  
StarCraft fails to handle exceptional conditions when generating a  
minimap preview of a malformed map. Additionally, since StarCraft  
includes a map distribution mechanizm (allowing players that do not  
own a map to download it when entering a game) it is possible to send  
a malformed map to a player that enters the game, and so, remotlly DoS  
his application.  
  
  
== Details ==  
  
When a player enter a StarCraft Brood War game (local, lan game or an  
Internet Battle.net game) a preview of the map is generated. If the  
map was malformed StarCraft tries to read an area which is no  
allocated. This leads to a Denial of Service condition, since  
StarCraft generates a Access Volation (READ) exception which is not  
handled.  
Additionally, if a player enters a multiplayer game, and he does not  
own a map that the game is taking place on, StarCraft download the map  
from other players (not just the creator of the game). If StarCrafts  
download a malformed map from a remote player, it will try to generate  
a minimap and enter the DoS condition (this has been confirmed in  
testing).  
  
Since StarCraft is a full screen DirectX application a DoS may cause a  
need to reboot the whole system on older Windows systems.  
  
Proof of Concept map:  
http://blog.hispasec.com/lab/files/SC_PoC_DoS.scm  
  
Memory patcher disabling minimap preview generation:  
http://blog.hispasec.com/lab/files/SC_Patch.c  
http://blog.hispasec.com/lab/files/SC_Patch.exe (compiled binary)  
  
  
== Vendor status and solution ==  
  
The vendor has been informed but has not yet released a proper patch  
(a fix for this issue was not included in the 1.15.1 patch).  
  
The sollution is to becareful when joining games on unknown maps.  
See SC_Patch.c and SC_Patch.exe (links in the Details section) for a  
memory patcher that disables minimap preview generation in the running  
StarCraft application.  
  
  
== Disclaimer ==  
This document and all the information it contains is provided "as is",  
without any warranty. Hispasec Sistemas is not responsible for the  
misuse of the information provided in this advisory. The advisory is  
provided for educational purposes only.  
  
Permission is hereby granted to redistribute this advisory, providing  
that no changes are made and that the copyright notices and  
disclaimers remain intact.  
  
Copyright (C) 2007 Hispasec Sistemas.  
  
--  
Gynvael Coldwind  
mailto: gynvael@vexillium.org  
mailto: michael@hispasec.com  
`