purge.txt

purge.txt: Posted Feb 16, 2004; Authored by Luigi Auriemma | Site aluigi.altervista.org; Purge versions 1.4.7 and below and Purge Jihad versions 2.0.1 and below have buffer overflows affecting the clients of this game.; tags | advisory, overflow; SHA-256 | 15e5bb82dec8ce18853366f6292961f01558fc059766481005b37354d2bce4c1; Download | Favorite | View

purge.txt


#######################################################################

                             Luigi Auriemma

Applications: Purge and Purge Jihad
              http://www.purgeonline.net
Versions:     Purge       <= 1.4.7
              Purge Jihad <= 2.0.1
Platforms:    Windows
Bug:          broadcast client's buffer overflow
Risk:         highly critical
Exploitation: remote, versus clients (broadcast)
Date:         16 Feb 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Purge Jihad is a game developed by Freeform Interactive using the
Lithtech Talon graphic engine:

"It is a hybrid Role-Playing-Game / First-Person-Shooter set in the
near future accounting a war between the diametrically opposed forces
of science-fiction (the Order) and fantasy (the Chosen)"


#######################################################################

======
2) Bug
======


The bug is a "broadcast" buffer-overflow affecting clients.
In fact each client that enters in the multiplayer screen automatically
contacts the master server and then sends a query to each available
online game server to know informations about the current match running
on it.

The attacker'server must simply reply to clients'requests with an
information packet containing 2 big fields: battle type and map name.
These fields in fact are managed by a vulnerable function that copies
the provided strings in a 64 bytes buffer not able to contain the
maximum size of 256 bytes of each field.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/purge-cbof.zip


#######################################################################

======
4) Fix
======


Purge Jihad 2.0.2


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

purge.txt

purge.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

purge.txt

Share This

purge.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems