[Full-Disclosure] Limited buffer-overflow in Painkiller 1.35

2005-02-02T00:00:00
ID SECURITYVULNS:DOC:7729
Type securityvulns
Reporter Securityvulns
Modified 2005-02-02T00:00:00

Description

                         Luigi Auriemma

Application: Painkiller http://www.painkillergame.com Versions: <= 1.35 Platforms: Windows Bug: limited buffer-overflow Exploitation: remote, versus server (in-game) Date: 02 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Painkiller is the great FPS game developed by People can Fly (http://www.peoplecanfly.com) and released in April 2004.

====== 2) Bug ======

The bug is about the buffer that must contain the Gamespy cd-key hash for the online server-side authorization. This buffer is limited to 100 bytes (the Gamespy cd-key hash is long 72 chars), so if an attacker uses a longer hash will be able to overflow the buffer.

However exist two limitations for the exploitation of this bug, the first is that only alpha-numeric chars are allowed (1-9, A-Z and a-z) while the second is not so important since this is an in-game bug, so if a server is protected by password the attacker must know it.

=========== 3) The Code ===========

http://aluigi.altervista.org/poc/painkkeybof.zip

====== 4) Fix ======

Version 1.61.


Luigi Auriemma http://aluigi.altervista.org


Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html