Application: Chaser http://www.chasergame.com Versions: <= 1.50 Platforms: Windows Bug: crash (reading of unallocated memory) Risk: high Exploitation: remote, both server and client are vulnerables Date: 03 Feb 2004 Author: Luigi Auriemma e-mail: firstname.lastname@example.org web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
Chaser is a first person shooter developed by Cauldron (http://www.cauldron.sk) using the CloakNT game engine.
====== 2) Bug ======
The structure of a Chaser packet is like the following:
00 00 00 00 00 ff 00 00 | | | size of the data starting at offset 14 16 bit checksum http://aluigi.altervista.org/papers/chaser_crc.h
The problem is just in the value specifying the size of the data in fact if it is too big the game will read all the amount of data specified and will reach an unallocated memory zone that will cause an exception. The following is the instruction that causes the crash in the dedicated server 1.50:
:0050C89F F3A5 rep movsd
=========== 3) The Code ===========
To test the Chaser server:
The vulnerability affects also the client but naturally the dangerousness is really minimale, I have released a proof-of-concept also to test this case:
====== 4) Fix ======
No fix. Cauldron has not replied to my mails.
Luigi Auriemma http://aluigi.altervista.org