####################################################################### Luigi Auriemma Application: Armagetron http://armagetron.sourceforge.net Armagetron Advanced http://armagetronad.sourceforge.net Versions: Armagetron <= 0.2.6.0 Armagetron Advanced <= 0.2.7.0 Platforms: multiplatform (Windows, Linux and others) Bugs: A] crash caused by big descriptor ID B] crash caused by big claim_id C] socket unreachable through empty packet D] fake players temporary freeze Exploitation: remote, versus server Date: 10 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Armagetron is the well known and played opensource multiplayer game developed by Manuel Moos. Recently the project Armagetron (until version 0.2.6.0) has been declared dead and is unofficial successor is Armagetron Advanced. ####################################################################### ======= 2) Bugs ======= ------------------------------------ A] crash caused by big descriptor ID ------------------------------------ The game uses an array of 400 descriptors, but clients can pass their descriptor ID using 16 bits numbers (so until 65535). In short a packet with an ID major than 400 is able to crash the server due to the access to an unallocated zone of the array. ------------------------------- B] crash caused by big claim_id ------------------------------- Just like the bug described before, exists a problem in the calling of the ANET_AddrCompare() function where is passed the peers structure (an array of 18 elements) pointing to the 16 bits value passed by the client at the end of his packet. ------------------------------------------ C] socket unreachable through empty packet ------------------------------------------ The game uses asynchronous sockets through the usage of FIONREAD that returns the number of bytes received in the last packet (0 if there are no new packets). If the server receives an empty UDP packet it will continue to check the socket's queue infinitely since there are still 0 bytes and in the meantime it cannot handle other packets so all the clients will be automatically disconnected from him. The situation returns normal only when a new map starts and, so, the socket is recreated. -------------------------------- D] fake players temporary freeze -------------------------------- Simple, the server and any connected client freeze completely if too much players join and don't send data (time out). So an attacker can fill the server with fake players and when a new map starts (races on Armagetron are enough shorts) nobody will be able to play in that server. ####################################################################### =========== 3) The Code =========== A, B, C] http://aluigi.org/poc/atronboom.zip D] http://aluigi.org/fakep/atronfp.zip ####################################################################### ====== 4) Fix ====== No fix. I reported the bugs A and D to the author many months ago but then I lost any contact with him. I have sent a mail to 2 of the new programmers of the Armagetron Advanced project explaining all the bugs but have received no reply. #######################################################################