scrapboom.txt

scrapboom.txt: Posted Mar 1, 2005; Authored by Luigi Auriemma | Site aluigi.altervista.org; Scrapland versions 1.0 and below suffer from a flaw where the server terminates prematurely when it errors.; tags | advisory; SHA-256 | 07d1610b895f413ac87080ba8ba543a523c1dc9dd5fa5fadef2ced8bc1f98de9; Download | Favorite | View

scrapboom.txt


#######################################################################

                             Luigi Auriemma

Application:  Scrapland
              http://www.scrapland.com
Versions:     <= 1.0
Platforms:    Windows
Bug:          server termination
Exploitation: remote, versus server (partially in-game)
Date:         28 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Scrapland is the known game developed by MercurySteam Entertainment
(http://www.mercurysteam.com) with the creative support of American
McGee (http://www.americanmcgee.com).
The game has been released at the beginning of 2005.


#######################################################################

======
2) Bug
======


The main problem of the game is that the server terminates after any
error instead of simply showing the error message in the game console
and continuing its work.

This situation lets an attacker to easily crash a Scrapland game server
in many ways, some of them are:

- size>SSize: the game uses 8 bits numbers to specify the size of the
  text strings inside the packets. These 8 bits numbers are handled as
  signed integers so any value bigger than 127 causes the server error.

- unexistent model: if the client uses a model (like engine, pilot or
  player) not available on the server, this one will terminate saying
  that the model specified by the client has not been found.

- newpos<=size: another type of error.

- access violation caused by the reception of two partial packets.

If the server is full, is not possible to terminate it.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/scrapboom.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Top Authors In Last 30 Days

Red Hat 305 files
Ubuntu 67 files
Debian 23 files
Gentoo 8 files
LiquidWorm 6 files
Apple 5 files
Google Security Research 5 files
Spencer McIntyre 3 files
Ivan Fratric 3 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,133)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,177)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,160)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,495)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,025)
UNIX (9,482)
UnixWare (188)
Windows (6,786)
Other

scrapboom.txt

scrapboom.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

scrapboom.txt

Share This

scrapboom.txt

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems