Applications: Purge and Purge Jihad http://www.purgeonline.net Versions: Purge <= 1.4.7 Purge Jihad <= 2.0.1 Platforms: Windows Bug: broadcast client's buffer overflow Risk: highly critical Exploitation: remote, versus clients (broadcast) Date: 16 Feb 2004 Author: Luigi Auriemma e-mail: firstname.lastname@example.org web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
Purge Jihad is a game developed by Freeform Interactive using the Lithtech Talon graphic engine:
"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the near future accounting a war between the diametrically opposed forces of science-fiction (the Order) and fantasy (the Chosen)"
====== 2) Bug ======
The bug is a "broadcast" buffer-overflow affecting clients. In fact each client that enters in the multiplayer screen automatically contacts the master server and then sends a query to each available online game server to know informations about the current match running on it.
The attacker'server must simply reply to clients'requests with an information packet containing 2 big fields: battle type and map name. These fields in fact are managed by a vulnerable function that copies the provided strings in a 64 bytes buffer not able to contain the maximum size of 256 bytes of each field.
=========== 3) The Code ===========
====== 4) Fix ======
Purge Jihad 2.0.2
Luigi Auriemma http://aluigi.altervista.org