Remote crash of Chaser game <= 1.50

2004-02-0400:00:00

vulners.com

JSON

#######################################################################

                         Luigi Auriemma

Application: Chaser
http://www.chasergame.com
Versions: <= 1.50
Platforms: Windows
Bug: crash (reading of unallocated memory)
Risk: high
Exploitation: remote, both server and client are vulnerables
Date: 03 Feb 2004
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Chaser is a first person shooter developed by Cauldron
(http://www.cauldron.sk) using the CloakNT game engine.

#######################################################################

======
2) Bug

The structure of a Chaser packet is like the following:

00 00 00 00 00 ff 00 00
| |
| size of the data starting at offset 14
16 bit checksum
http://aluigi.altervista.org/papers/chaser_crc.h

The problem is just in the value specifying the size of the data in
fact if it is too big the game will read all the amount of data
specified and will reach an unallocated memory zone that will cause an
exception.
The following is the instruction that causes the crash in the dedicated
server 1.50:

:0050C89F F3A5 rep movsd

#######################################################################

===========
3) The Code

To test the Chaser server:

http://aluigi.altervista.org/poc/chasercrash.zip

The vulnerability affects also the client but naturally the
dangerousness is really minimale, I have released a proof-of-concept
also to test this case:

http://aluigi.altervista.org/poc/chaser-client.zip

#######################################################################