[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Broadcast client crash in Halo 1.05

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: [Full-Disclosure] Broadcast client crash in Halo 1.05
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Mon, 22 Nov 2004 18:21:01 +0000

#######################################################################

                             Luigi Auriemma

Application:  Halo: Combat Evolved
              http://www.microsoft.com/games/pc/halo.aspx
Versions:     <= 1.05
Platforms:    Windows and MacOS
Bug:          crash
Exploitation: remote, versus clients (broadcast)
Date:         22 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
It has been released at the end of 2003.


#######################################################################

======
2) Bug
======


The problem affects the in-game browser of the clients used to navigate
through the list of online servers and is caused by some overrun
protections. If these instructions find a too long value in a server's
reply, they pass a NULL pointer (instead of the original value) to a
wcsncpy() function causing the crash.

This is a broadcast client crash, so a single attacker visible in the
master server list can passively exploit any vulnerable client in the
world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/halocboom.zip


#######################################################################

======
4) Fix
======


Version 1.06


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] Certifications
Next by Date: RE: [Full-Disclosure] Certifications
Previous by thread: Re: [Full-Disclosure] HAPPY BIRTHDAY: Yahoo & AmericanGreetings.com
Next by thread: [Full-Disclosure] iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrary Package Access Vulnerability
Index(es):
- Date
- Thread