exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

atron.txt

atron.txt
Posted Feb 23, 2005
Authored by Luigi Auriemma | Site aluigi.altervista.org

Armagetron versions 0.2.6.0 and below and Armagetron Advanced versions 0.2.7.0 and below suffer from various denial of service flaws.

tags | advisory, denial of service
SHA-256 | 9eef4ea8c6936a63f08053ed3ce18e3847e0aae724ad0521a9d48efb53c4bfe8

atron.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Armagetron
http://armagetron.sourceforge.net
Armagetron Advanced
http://armagetronad.sourceforge.net
Versions: Armagetron <= 0.2.6.0
Armagetron Advanced <= 0.2.7.0
Platforms: multiplatform (Windows, Linux and others)
Bugs: A] crash caused by big descriptor ID
B] crash caused by big claim_id
C] socket unreacheable through empty packet
D] fake players temporary freeze
Exploitation: remote, versus server
Date: 10 Feb 2005
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Armagetron is the well known and played opensource multiplayer game
developed by Manuel Moos.
Recently the project Armagetron (until version 0.2.6.0) has been
declared dead and is unofficial successor is Armagetron Advanced.


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] crash caused by big descriptor ID
------------------------------------

The game uses an array of 400 descriptors, but clients can pass their
descriptor ID using 16 bits numbers (so until 65535).
In short a packet with an ID major than 400 is able to crash the server
due to the access to an unallocated zone of the array.


-------------------------------
B] crash caused by big claim_id
-------------------------------

Just like the bug described before, exists a problem in the calling of
the ANET_AddrCompare() function where is passed the peers structure (an
array of 18 elements) pointing to the 16 bits value passed by the
client at the end of his packet.


-------------------------------------------
C] socket unreacheable through empty packet
-------------------------------------------

The game uses asynchronous sockets through the usage of FIONREAD that
returns the number of bytes received in the last packet (0 if there are
no new packets).
If the server receives an empty UDP packet it will continue to check
the socket's queue infinitely since there are still 0 bytes and in the
meantime it cannot handle other packets so all the clients will be
automatically disconnected from him.
The situation returns normal only when a new map starts and, so, the
socket is recreated.


--------------------------------
D] fake players temporary freeze
--------------------------------

Simple, the server and any connected client freeze completely if too
much players join and don't send data (time out). So an attacker can
fill the server with fake players and when a new map starts (races on
Armagetron are enough shorts) nobody will be able to play in that
server.


#######################################################################

===========
3) The Code
===========


A, B, C] http://aluigi.altervista.org/poc/atronboom.zip

D] http://aluigi.altervista.org/fakep/atronfp.zip


#######################################################################

======
4) Fix
======


No fix.
I reported the bugs A and D to the author many months ago but then I
lost any contact with him.
I have sent a mail to 2 of the new programmers of the Armagetron
Advanced project explaining all the bugs but have received no reply.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close