[37439] in bugtraq
Broadcast client crash in Halo 1.05
daemon@ATHENA.MIT.EDU (Luigi Auriemma)
Mon Nov 22 13:26:34 2004
Date: Mon, 22 Nov 2004 18:21:01 +0000
From: Luigi Auriemma <aluigi@autistici.org>
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com,
full-disclosure@lists.netsys.com, vuln@secunia.com
Message-Id: <20041122182101.034b02ba.aluigi@autistici.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
#######################################################################
Luigi Auriemma
Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspx
Versions: <= 1.05
Platforms: Windows and MacOS
Bug: crash
Exploitation: remote, versus clients (broadcast)
Date: 22 November 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
It has been released at the end of 2003.
#######################################################################
======
2) Bug
======
The problem affects the in-game browser of the clients used to navigate
through the list of online servers and is caused by some overrun
protections. If these instructions find a too long value in a server's
reply, they pass a NULL pointer (instead of the original value) to a
wcsncpy() function causing the crash.
This is a broadcast client crash, so a single attacker visible in the
master server list can passively exploit any vulnerable client in the
world.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/halocboom.zip
#######################################################################
======
4) Fix
======
Version 1.06
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
