SecurityvulnsSECURITYVULNS:DOC:18167NULL pointer crash in World in Conflict 1.000
#######################################################################
Luigi Auriemma
Application: World in Conflict
http://www.worldinconflict.com
Versions: <= 1.000
Platforms: Windows
Bug: access to NULL pointer
Exploitation: remote, versus server
Date: 09 Oct 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
World in conflict is a RTS game developed by Massive Entertainment
(http://www.massive.se) and released about a month ago.
#######################################################################
======
2) Bug
The server is vulneable to a Denial of Service attack (crash) caused by
the access to a NULL pointer.
The problem happens in the GetMagicNumberString function which takes
the third byte of the data received from the client on the VOIP port
52999 and returns a text string if this value is valid ("ABC" for type
0, "DEF" for 1, "GHI" for 2 and so on) or NULL if it's invalid.
Then the string returned by this function is compared with another one
and here happens the NULL pointer access.
#######################################################################
===========
3) The Code
Connect to the VOIP port of the server (default 52999) with telnet or
netcat and type something like aaaaaaa.
The server will crash immediately.
#######################################################################
======
4) Fix
Patch v1.001 (aka Update #001)
#######################################################################
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org