####################################################################### Luigi Auriemma Applications: Some old games developed by Monolith http://www.lith.com Versions: - Alien versus Predator 2 <= 1.0.9.6 - Blood 2 <= 2.1 - No one lives forever <= 1.004 - Shogo <= 2.2 Platforms: Windows and Mac Bug: limited buffer overflow Exploitation: remote, versus server Date: 08 October 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Monolith is the developer of the famous Lithtech engine. The games affected by the bug I'm going to explain have been released before the 2002 but are still very played online. ####################################################################### ====== 2) Bug ====== The bug is a classical buffer-overflow happening when an attacker sends a \secure\ Gamespy query followed by at least 68 chars. The limitation of this vulnerability is in the bytes that overwrite the small buffer because only those from 0x20 to 0x7f are allowed while the others are truncated during some internal steps. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/lithsec.zip ####################################################################### ====== 4) Fix ====== No official fix, probably these games are no longer supported and, however, I have received no reply from the developers. Fortunately creating a work-around for this bug is very easy because is only needed to set the "secure" string to NULL. The following are my unofficial patches: http://aluigi.org/patches/lithsecfix.lpatch #######################################################################