Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Games :: tb12251.htm

Buffer-overflow in the Asura engine



Buffer-overflow in the Asura engine
Buffer-overflow in the Asura engine




#######################################################################

                             Luigi Auriemma

Application:  Asura engine (network SDK)
http://www.rebellion.co.uk 
Games:        Rogue Trooper                                      <= 1.0
              Prism: Guard Shield                            <= 1.1.1.0
              ...possibly others...
Platforms:    Windows
Bug:          challenge buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         22 Aug 2007
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

Asura is a game engine written by Rebellion and used in their games.
Rogue Trooper and Prism are the only two games (as far as I know) which
use the new network protocol which leads to the vulnerability reported
in this advisory, the older games were based on DirectPlay (Judge
Dredd) and Gamespy SDK (Sniper Elite).


#######################################################################

=====2) Bug
=====

A buffer-overflow vulnerability is located in the function which
handles the 0xf007 packet used for the challenge B query.
In this function the data passed by the client is copied (without
checks on its length) to a stack buffer of 256 bytes used for sending
the data back to the client, something similar to a ping.


#######################################################################

==========3) The Code
==========

http://aluigi.org/poc/asurabof.zip 


#######################################################################

=====4) Fix
=====

No fix.
Rebellion is one of those vendors which have never replied to my past
mails.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 
http://mirror.aluigi.org 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH