####################################################################### Luigi Auriemma Application: Asura engine (network SDK) http://www.rebellion.co.uk Games: Rogue Trooper <= 1.0 Prism: Guard Shield <= 1.1.1.0 ...possibly others... Platforms: Windows Bug: challenge buffer-overflow Exploitation: remote, versus server (in-game) Date: 22 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Asura is a game engine written by Rebellion and used in their games. Rogue Trooper and Prism are the only two games (as far as I know) which use the new network protocol which leads to the vulnerability reported in this advisory, the older games were based on DirectPlay (Judge Dredd) and Gamespy SDK (Sniper Elite). ####################################################################### ====== 2) Bug ====== A buffer-overflow vulnerability is located in the function which handles the 0xf007 packet used for the challenge B query. In this function the data passed by the client is copied (without checks on its length) to a stack buffer of 256 bytes used for sending the data back to the client, something similar to a ping. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/asurabof.zip ####################################################################### ====== 4) Fix ====== No fix. Rebellion is one of those vendors which have never replied to my past mails. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org *********************************************************************** The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to the original sender , then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing KPMG client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments that do not relate to the official business of the firm are neither given nor endorsed by it. KPMG cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. This email is being sent out by KPMG International on behalf of the local KPMG member firm providing services to you. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. Information about the structure and jurisdiction of your local KPMG member firm can be obtained from your KPMG representative. This footnote also confirms that this e-mail message has been swept by AntiVirus software. . ***********************************************************************