####################################################################### Luigi Auriemma Application: Yager http://www.yager-game.de Versions: <= 5.24 Platforms: Windows Bugs: A] nickname buffer-overflow B] data block buffer-overflow C] freeze caused by incomplete data block D] various crashes caused by corrupted data Exploitation: remote, versus server and clients Date: 14 Apr 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Yager is a futuristic air combat game developed by Yager Development (http://www.yager.de) and published by THQ (http://www.thq.de) and DreamCatcher Interactive (http://www.dreamcatchergames.com). It has been released in September 2003. Note: this game uses only LAN and direct IP multiplayer so doesn't exist a master server with the list of online servers (contrary to almost all the existent multiplayer games). ####################################################################### ======= 2) Bugs ======= --------------------------- A] nickname buffer-overflow --------------------------- The game is affected by a buffer-overflow in the nickname field (ID 0x1e) that can allow an attacker to execute malicious code. ----------------------------- B] data block buffer-overflow ----------------------------- The buffer used to receive the data from the socket is 256 bytes long while the maximum size of the data block is 65536 (a 16 bit number) causing a buffer-overflow. ----------------------------------------- C] freeze caused by incomplete data block ----------------------------------------- The server and the clients connected to it can be easily freezed through the sending of incomplete data. The problem is that the game is synchronized with the receiving of the network data so it is blocked until all the expected data is received. For example, the header of the data blocks is 10 bytes long so if we send 9 or less bytes we are able to freeze the game. ------------------------------------------- D] various crashes caused by corrupted data ------------------------------------------- The game doesn't use enough checks to verify the correctness of the data received so is possible to cause various crashes through the usage of malformed data. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/yagerbof.zip ####################################################################### ====== 4) Fix ====== No fix. A patch should be released soon. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org