Broadcast client buffer-overflow in Purge Jihad <= 2.0.1

Type securityvulns
Reporter Securityvulns
Modified 2004-02-16T00:00:00


                         Luigi Auriemma

Applications: Purge and Purge Jihad Versions: Purge <= 1.4.7 Purge Jihad <= 2.0.1 Platforms: Windows Bug: broadcast client's buffer overflow Risk: highly critical Exploitation: remote, versus clients (broadcast) Date: 16 Feb 2004 Author: Luigi Auriemma e-mail: web:

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Purge Jihad is a game developed by Freeform Interactive using the Lithtech Talon graphic engine:

"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the near future accounting a war between the diametrically opposed forces of science-fiction (the Order) and fantasy (the Chosen)"

====== 2) Bug ======

The bug is a "broadcast" buffer-overflow affecting clients. In fact each client that enters in the multiplayer screen automatically contacts the master server and then sends a query to each available online game server to know informations about the current match running on it.

The attacker'server must simply reply to clients'requests with an information packet containing 2 big fields: battle type and map name. These fields in fact are managed by a vulnerable function that copies the provided strings in a 64 bytes buffer not able to contain the maximum size of 256 bytes of each field.

=========== 3) The Code ===========

====== 4) Fix ======

Purge Jihad 2.0.2

Luigi Auriemma