ID SECURITYVULNS:DOC:5712 Type securityvulns Reporter Securityvulns Modified 2004-02-04T00:00:00
Description
Luigi Auriemma
Application: Chaser
http://www.chasergame.com
Versions: <= 1.50
Platforms: Windows
Bug: crash (reading of unallocated memory)
Risk: high
Exploitation: remote, both server and client are vulnerables
Date: 03 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.
======
2) Bug
======
The structure of a Chaser packet is like the following:
00 00 00 00 00 ff 00 00
| |
| size of the data starting at offset 14
16 bit checksum
http://aluigi.altervista.org/papers/chaser_crc.h
The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:
:0050C89F F3A5 rep movsd
===========
3) The Code
===========
To test the Chaser server:
http://aluigi.altervista.org/poc/chasercrash.zip
The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:
{"id": "SECURITYVULNS:DOC:5712", "bulletinFamily": "software", "title": "Remote crash of Chaser game <= 1.50", "description": "\r\n#######################################################################\r\n\r\n Luigi Auriemma\r\n\r\nApplication: Chaser\r\n http://www.chasergame.com\r\nVersions: <= 1.50\r\nPlatforms: Windows\r\nBug: crash (reading of unallocated memory)\r\nRisk: high\r\nExploitation: remote, both server and client are vulnerables\r\nDate: 03 Feb 2004\r\nAuthor: Luigi Auriemma\r\n e-mail: aluigi@altervista.org\r\n web: http://aluigi.altervista.org\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n1) Introduction\r\n2) Bug\r\n3) The Code\r\n4) Fix\r\n\r\n\r\n#######################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\n\r\nChaser is a first person shooter developed by Cauldron\r\n(http://www.cauldron.sk) using the CloakNT game engine.\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n2) Bug\r\n======\r\n\r\n\r\nThe structure of a Chaser packet is like the following:\r\n\r\n00 00 00 00 00 ff 00 00\r\n | |\r\n | size of the data starting at offset 14\r\n 16 bit checksum\r\n http://aluigi.altervista.org/papers/chaser_crc.h\r\n\r\nThe problem is just in the value specifying the size of the data in\r\nfact if it is too big the game will read all the amount of data\r\nspecified and will reach an unallocated memory zone that will cause an\r\nexception.\r\nThe following is the instruction that causes the crash in the dedicated\r\nserver 1.50:\r\n\r\n:0050C89F F3A5 rep movsd\r\n\r\n\r\n#######################################################################\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\n\r\nTo test the Chaser server:\r\n\r\nhttp://aluigi.altervista.org/poc/chasercrash.zip\r\n\r\nThe vulnerability affects also the client but naturally the\r\ndangerousness is really minimale, I have released a proof-of-concept\r\nalso to test this case:\r\n\r\nhttp://aluigi.altervista.org/poc/chaser-client.zip\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n4) Fix\r\n======\r\n\r\n\r\nNo fix.\r\nCauldron has not replied to my mails.\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n--- \r\nLuigi Auriemma\r\nhttp://aluigi.altervista.org\r\n", "published": "2004-02-04T00:00:00", "modified": "2004-02-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5712", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:09", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 3.5, "vector": "NONE", "modified": "2018-08-31T11:10:09", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:09", "rev": 2}, "vulnersScore": 3.5}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **avitos[.]reidhub.ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **9**.\n First seen: 2020-09-01T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 194[.]85.252.62,193.232.128.6,193.232.156.17,193.232.142.17,194.190.124.17\nWhois:\n Created: 2020-08-16 16:34:10, \n Registrar: RUCENTERRU, \n Registrant: Private Person.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-01T00:00:00", "id": "RST:FADEA6DA-5712-3895-B464-E8C6779856E9", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: avitos.reidhub.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **211[.]91.163.85** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **malware**.\nASN 4837: (First IP 211.91.120.0, Last IP 211.91.183.255).\nASN Name \"CHINA169BACKBONE\" and Organisation \"CNCGROUP China169 Backbone\".\nASN hosts 561095 domains.\nGEO IP information: City \"Wuhan\", Country \"China\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:CA45F9D8-5712-3DCF-9136-ADA8839D2A6E", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 211.91.163.85", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **218[.]26.110.236** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-04-12T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 4837: (First IP 218.26.88.0, Last IP 218.29.255.255).\nASN Name \"CHINA169BACKBONE\" and Organisation \"CNCGROUP China169 Backbone\".\nASN hosts 561095 domains.\nGEO IP information: City \"Beijing\", Country \"China\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-12T00:00:00", "id": "RST:2250AAB9-5712-3463-965D-D88E6BDF2908", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 218.26.110.236", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **59[.]88.228.125** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-26T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 9829: (First IP 59.88.0.0, Last IP 59.89.119.255).\nASN Name \"BSNLNIB\" and Organisation \"National Internet Backbone\".\nASN hosts 3363 domains.\nGEO IP information: City \"Pathanamthitta\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-26T00:00:00", "id": "RST:B3B14E41-5712-317D-B14F-ED3F69174094", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 59.88.228.125", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **117[.]50.18.243** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **6**.\n First seen: 2020-09-23T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 9808: (First IP 117.50.0.0, Last IP 117.50.127.255).\nASN Name \"CMNETGD\" and Organisation \"Guangdong Mobile Communication CoLtd\".\nASN hosts 107666 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-09-23T00:00:00", "id": "RST:D1E99E7D-5712-3C14-9C4B-CE07977B6F71", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 117.50.18.243", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **178[.]251.12.204** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **22**.\n First seen: 2021-01-11T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **shellprobe**.\nASN 42184: (First IP 178.251.12.0, Last IP 178.251.15.255).\nASN Name \"TKRZAS\" and Organisation \"\".\nASN hosts 5024 domains.\nGEO IP information: City \"Emsdetten\", Country \"Germany\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-11T00:00:00", "id": "RST:3BDAC942-5712-3B3D-841C-2E2DA5AE754E", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: 178.251.12.204", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **c3epfsjjsr[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **31**.\n First seen: 2021-02-11T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 103[.]251.156.226\nWhois:\n Created: 2020-05-14 09:32:09, \n Registrar: GMO Internet Inc dba Onamaecom, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-11T00:00:00", "id": "RST:59E5630E-5712-3C5F-A364-A26A735B2327", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: c3epfsjjsr.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **vsecurelevel[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:92961A9C-5712-3CFC-96CF-AA070E62F933", "href": "", "published": "2021-03-06T00:00:00", "title": "RST Threat feed. IOC: vsecurelevel.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://115[.]61.112.235:43882/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **66**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:162A7195-5712-3749-A29E-7002101E6FD4", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: http://115.61.112.235:43882/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **poll[.]atomminer.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-24T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-24T00:00:00", "id": "RST:89110FC4-5712-3511-A3DB-715050B5E400", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: poll.atomminer.com", "type": "rst", "cvss": {}}]}
