####################################################################### Luigi Auriemma Application: Terminator 3: War of the Machines http://www.t3war.com Versions: 1.0 Platforms: Windows Bug: broadcast client's buffer-overflow Risk: very high Exploitation: remote and automatic, versus clients Date: 19 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "Terminator 3: War of the Machines" is a multiplayer FPS game developed by Clevers (http://www.clevers.com) and based on the homonym Swarzy's movie. ####################################################################### ====== 2) Bug ====== The bug is a broadcast buffer-overflow affecting clients. Everytime a user enters in the multiplayer menu, the game contacts the master server and then each online server automatically. The bug happens during the usage of some vulnerable instructions that are exactly the following: char ServerInfoTemp[200]; ... for (int i = 0; i < strlen(ServerInfo); i++) { ServerInfoTemp[i] = toupper(ServerInfo[i]); } They get a string (ServerInfo) previously generated with the server's IP and port and all the values in its reply, after which they put this string into a new smaller buffer (ServerInfoTemp) converting the chars to upper case. The effects of this bug are the usual 2 known problems: - automatic buffer-overflow (here with the upper-case limitation) - network Denial of service, nobody can use the game online For who wanna see the problem at runtime, the vulnerable instructions in the executable of the pre-release demo are the loop between 004953d4 and 004953fe. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/t3cbof.zip ####################################################################### ====== 4) Fix ====== No fix. Developers promised a patch a lot of times (for 3 months) but it has not been released yet. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org