Off-by-one bug in Halo 1.04

2004-09-10T00:00:00
ID SECURITYVULNS:DOC:6777
Type securityvulns
Reporter Securityvulns
Modified 2004-09-10T00:00:00

Description

                         Luigi Auriemma

Application: Halo: Combat Evolved http://www.bungie.net/Games/HaloPC/ Versions: <= 1.4 Platforms: Windows and MacOS Bug: off-by-one (Denial of Service) Risk: medium/high Exploitation: remote, versus server Date: 09 September 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Halo is the widely known game originally developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). It has been released in September 2003.

====== 2) Bug ======

Halo uses the Gamespy SDK and moreover the handshake algorithm provided in this library (http://aluigi.altervista.org/papers/gssdkcr.h) to let players to join servers.

The off-by-one bug is located just in the client's response (the last stage of this handshake) because if it is longer than 32 bytes causes the immediate crash of the server.

=========== 3) The Code ===========

http://aluigi.altervista.org/poc/haloboom.zip

====== 4) Fix ======

Patch 1.05 for both Win32 and MacOS.


Luigi Auriemma http://aluigi.altervista.org