####################################################################### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.0.7.0615 (before 30 Jul 2008) Platforms: Windows Bugs: A] endless loop B] resources consumption Exploitation: remote, versus server Date: 06 Aug 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ####################################################################### ======= 2) Bugs ======= --------------- A] endless loop --------------- The Halo server is affected by a problem in the handling of a type of packet which can cause the bypassing of a check used to avoid the reading of data outside the packet. The result is an endless loop which freezes the application with CPU at 100%. ------------------------ B] resources consumption ------------------------ When a client occupies the player's slot after joininig the match, the Halo server continues to send packets to it forever because it stops only if an ICMP "destination unreachable" or a disconnection packet is received (doesn't exist a timeout, this is the cause of the problem). This has been tested personally by me and after a week I was still receiving these packets because many servers have firewalls which block ICMP and so there is no way to stop this problem except restarting the server. If the player has not occupied the slot yet (so before the handshake performed by the Gamespy SDK), the sending of packets made by the server is only 60 seconds long. So if an attacker has disabled the outgoing ICMP packets, which is default on any Windows with the firewall activated, he can consume a part of the network bandwidth of the server and mainly its memory with the consequent possible crash or hanging of the application. Note that, as already said, a handshake is required for occupying the slot so is not possible to spoof the packets which instead is possible for the second method of the 60 seconds. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/poc/haloloop3.zip B] http://aluigi.org/poc/halonso.zip ####################################################################### ====== 4) Fix ====== The hotfix released the 30th July 2008 solves these problems. Note that this hotfix has the same version number of the previous one released a month before for the haloloop2 bug: 1.0.7.0615. ####################################################################### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org