NULL pointer crash in World in Conflict 1.000

From: Luigi Auriemma <aluigi@autistici.org>
To: bugtraq@securityfocus.com,bugs@securitytracker.com,news@securiteam.com,full-disclosure@lists.grok.org.uk,vuln@secunia.com,packet@packetstormsecurity.org
Cc:
Subject: NULL pointer crash in World in Conflict 1.000
Date:



#######################################################################

                             Luigi Auriemma

Application:  World in Conflict
              http://www.worldinconflict.com
Versions:     <= 1.000
Platforms:    Windows
Bug:          access to NULL pointer
Exploitation: remote, versus server
Date:         09 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


World in conflict is a RTS game developed by Massive Entertainment
(http://www.massive.se) and released about a month ago.


#######################################################################

======
2) Bug
======


The server is vulneable to a Denial of Service attack (crash) caused by
the access to a NULL pointer.
The problem happens in the GetMagicNumberString function which takes
the third byte of the data received from the client on the VOIP port
52999 and returns a text string if this value is valid ("ABC" for type
0, "DEF" for 1, "GHI" for 2 and so on) or NULL if it's invalid.
Then the string returned by this function is compared with another one
and here happens the NULL pointer access.


#######################################################################

===========
3) The Code
===========


Connect to the VOIP port of the server (default 52999) with telnet or
netcat and type something like aaaaaaa.
The server will crash immediately.


#######################################################################

======
4) Fix
======


Patch v1.001 (aka Update #001)


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.