Broadcast client buffer-overflow in Purge Jihad <= 2.0.1

2004-02-16T00:00:00
ID SECURITYVULNS:DOC:5771
Type securityvulns
Reporter Securityvulns
Modified 2004-02-16T00:00:00

Description

                         Luigi Auriemma

Applications: Purge and Purge Jihad http://www.purgeonline.net Versions: Purge <= 1.4.7 Purge Jihad <= 2.0.1 Platforms: Windows Bug: broadcast client's buffer overflow Risk: highly critical Exploitation: remote, versus clients (broadcast) Date: 16 Feb 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Purge Jihad is a game developed by Freeform Interactive using the Lithtech Talon graphic engine:

"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the near future accounting a war between the diametrically opposed forces of science-fiction (the Order) and fantasy (the Chosen)"

====== 2) Bug ======

The bug is a "broadcast" buffer-overflow affecting clients. In fact each client that enters in the multiplayer screen automatically contacts the master server and then sends a query to each available online game server to know informations about the current match running on it.

The attacker'server must simply reply to clients'requests with an information packet containing 2 big fields: battle type and map name. These fields in fact are managed by a vulnerable function that copies the provided strings in a 64 bytes buffer not able to contain the maximum size of 256 bytes of each field.

=========== 3) The Code ===========

http://aluigi.altervista.org/poc/purge-cbof.zip

====== 4) Fix ======

Purge Jihad 2.0.2


Luigi Auriemma http://aluigi.altervista.org