####################################################################### Luigi Auriemma Application: Soldier of Fortune II http://www.ravensoft.com/soldier2.html Versions: 1.02, 1.03 old versions like 1.00 and demo doesn't seem to be vulnerable Platforms: Windows, Linux and MacOS Bug: crash caused by invalid memory pointer Exploitation: remote, versus server (partially in-game) Date: 24 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Soldier of Fortune II is a widely played FPS game developed by Raven Software (http://www.ravensoft.com) and published by Activision (http://www.activision.com). It has been released at May 2002. ####################################################################### ====== 2) Bug ====== The problem is a crash of the server caused by the access to a wrong zone of the memory that happens after the handling of a big cl_guid value passed by the client. This is a partial in-game bug in fact the attacker must have access to the server (so if his IP has been banned he cannot access) but he can attack also servers protected by password without knowing the right keyword. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/sof2guidboom.zip ####################################################################### ====== 4) Fix ====== No fix. The game is still "officially" unpatched from months so it can be declared no longer supported. I have been able to create a work-around only for the Windows version to check the length of the cl_guid value and reject the clients that send a value bigger than 64 bytes (the max size of the cl_guid buffer): http://aluigi.org/patches/sof2guidfix.lpatch #######################################################################