#######################################################################

Luigi Auriemma

Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspx
Versions: <= 1.05
Platforms: Windows and MacOS
Bug: crash
Exploitation: remote, versus clients (broadcast)
Date: 22 November 2004
Author: Luigi Auriemma
e-mail: aluigi (at) altervista (dot) org [email concealed]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (http://www.gearboxsoftware.com).
It has been released at the end of 2003.

#######################################################################

======
2) Bug
======

The problem affects the in-game browser of the clients used to navigate
through the list of online servers and is caused by some overrun
protections. If these instructions find a too long value in a server's
reply, they pass a NULL pointer (instead of the original value) to a
wcsncpy() function causing the crash.

This is a broadcast client crash, so a single attacker visible in the
master server list can passively exploit any vulnerable client in the
world.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/halocboom.zip

#######################################################################

======
4) Fix
======

Version 1.06

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

[ reply ]