####################################################################### Luigi Auriemma Application: Tincat network library http://www.tincat.de Versions: Release 2 < 2.0.28 Release 1 should be not vulnerable Games: - Sacred <= 1.8.2.6 - The Settlers: Heritage of Kings <= 1.02 - other applications, a partial list in german is available at the following link but I cannot confirm if they are vulnerable: http://www.tincat.de/index.php?topic=5 Platforms: Windows, Linux and Sun Solaris Bug: buffer-overflow Exploitation: remote, versus server Date: 28 Mar 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Tincat is a network library for games and has been developed by the german guys of Instance Four (http://www.instancefour.com). It is used in some games like the recents and well known Sacred (http://www.sacred-game.com) and The Settlers: Heritage of Kings (http://www.thesettlers.com). ####################################################################### ====== 2) Bug ====== The library is affected by a buffer-overflow in the function that logs the players entered in the server letting an attacker to execute malicious code on the victim system. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/tincat2bof.zip ####################################################################### ====== 4) Fix ====== The library has been patched from build 28 (2.0.28). Currently "The Settlers: Heritage of Kings" 1.03 is the only game that uses the new patched library. #######################################################################