#######################################################################

                             Luigi Auriemma

Application:  Skulltag
              http://www.skulltag.com
Versions:     <= 0.97d2-RC3
Platforms:    Windows, Linux and FreeBSD
Bug:          NULL pointer
Exploitation: remote, versus server (in-game)
Date:         11 Aug 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Skulltag is a port of the original Doom mainly focused on multiplayer
gaming.


#######################################################################

======
2) Bug
======


The Skulltag server is affected by a NULL pointer caused by the command
29 used when the player is not fully in the game.

The following are the full details from one of the Skulltag's
developers, Torr Samaho:
"The command instructs the server to let the player use all its items. 
The corresponding function then wanted to access the inventory of the 
player with players->mo->Inventory, but forgot to check if the player
is in the game at all. In case the player is not in game, players->mo
is a NULL pointer."

The attacker needs to join the server for exploiting this bug so his IP
address must be not banned and he must know the right keyword if the
server is protected with a password.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/skulltagod.zip


#######################################################################

======
4) Fix
======


Version 0.97d2-RC6


#######################################################################