Chrome is a cool game developed by Techland (http://www.techland.pl)
and is a futuristic FPP (First Person Perspective) shooting game whose
takes action on a planet of another solar system called Valkyria.
where "buff" is the new allocated buffer, "value" is a 32 bit number
located at offset 4 of the packet sent by the client and "packet" is
just this packet.
Now we have 2 interesting effects that have the same result (server's
crash):
- if "value" is too big the malloc() function will fail and there are
no instructions to check it so the game will try to write into a bad
memory zone (0x00000000)
- if "value" is big but is allocable, memcpy() will fail because the
value is bigger than the packet so it will try to read from the
unallocated memory after the data
No fix.
Developers talked about the patching of their online servers and about
an eventual patch for users within over 2 weeks ago, but nothing has
been released yet and there are no informations from them.
#######################################################################
Luigi Auriemma
Application: Chrome
http://www.chromethegame.com
Versions: <= 1.2.0.0
Platforms: Windows
Bug: reading and writing into unallocated memory (crash)
Risk: medium/high
Exploitation: remote, versus server
Date: 18 Mar 2004
Author: Luigi Auriemma
e-mail: aluigi (at) altervista (dot) org [email concealed]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Chrome is a cool game developed by Techland (http://www.techland.pl)
and is a futuristic FPP (First Person Perspective) shooting game whose
takes action on a planet of another solar system called Valkyria.
#######################################################################
======
2) Bug
======
The problem is located in the following instructions:
buff = malloc(value);
memcpy(buff, packet + 8, value);
where "buff" is the new allocated buffer, "value" is a 32 bit number
located at offset 4 of the packet sent by the client and "packet" is
just this packet.
Now we have 2 interesting effects that have the same result (server's
crash):
- if "value" is too big the malloc() function will fail and there are
no instructions to check it so the game will try to write into a bad
memory zone (0x00000000)
- if "value" is big but is allocable, memcpy() will fail because the
value is bigger than the packet so it will try to read from the
unallocated memory after the data
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/chromeboom.zip
#######################################################################
======
4) Fix
======
No fix.
Developers talked about the patching of their online servers and about
an eventual patch for users within over 2 weeks ago, but nothing has
been released yet and there are no informations from them.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
[ reply ]