BugTraq
Buffer-overflow in Tincat 2 minor than 2.0.28 (Sacred, Settlers 5 and others) Mar 28 2005 03:14PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Tincat network library
http://www.tincat.de
Versions: Release 2 < 2.0.28
Release 1 should be not vulnerable
Games: - Sacred <= 1.8.2.6
- The Settlers: Heritage of Kings <= 1.02
- other applications, a partial list in german is
available at the following link but I cannot confirm if
they are vulnerable:
http://www.tincat.de/index.php?topic=5
Platforms: Windows, Linux and Sun Solaris
Bug: buffer-overflow
Exploitation: remote, versus server
Date: 28 Mar 2005
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Tincat is a network library for games and has been developed by the
german guys of Instance Four (http://www.instancefour.com).
It is used in some games like the recents and well known Sacred
(http://www.sacred-game.com) and The Settlers: Heritage of Kings
(http://www.thesettlers.com).

#######################################################################

======
2) Bug
======

The library is affected by a buffer-overflow in the function that logs
the players entered in the server letting an attacker to execute
malicious code on the victim system.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/tincat2bof.zip

#######################################################################

======
4) Fix
======

The library has been patched from build 28 (2.0.28).

Actually "The Settlers: Heritage of Kings" 1.03 is the only game that
uses the new patched library.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus