#######################################################################

                             Luigi Auriemma

Application:  Asura engine (network SDK)
              http://www.rebellion.co.uk
Games:        Rogue Trooper                                      <= 1.0
              Prism: Guard Shield                            <= 1.1.1.0
              ...possibly others...
Platforms:    Windows
Bug:          challenge buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         22 Aug 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Asura is a game engine written by Rebellion and used in their games.
Rogue Trooper and Prism are the only two games (as far as I know) which
use the new network protocol which leads to the vulnerability reported
in this advisory, the older games were based on DirectPlay (Judge
Dredd) and Gamespy SDK (Sniper Elite).


#######################################################################

======
2) Bug
======


A buffer-overflow vulnerability is located in the function which
handles the 0xf007 packet used for the challenge B query.
In this function the data passed by the client is copied (without
checks on its length) to a stack buffer of 256 bytes used for sending
the data back to the client, something similar to a ping.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/asurabof.zip


#######################################################################

======
4) Fix
======


No fix.
Rebellion is one of those vendors which have never replied to my past
mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
***********************************************************************
The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to the original sender , then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it.

KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. 

This email is being sent out by KPMG International on behalf of the local KPMG member firm providing services to you.  KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such.  Information about the structure and jurisdiction of your local KPMG member firm can be obtained from your KPMG representative.

This footnote also confirms that this e-mail message has been swept by AntiVirus software. . 
***********************************************************************