S.T.A.L.K.E.R.: Shadow of Chernobyl 函数IPureServer::_Recieve缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115580 漏洞类型 缓冲区溢出
发布时间 2008-06-28 更新时间 2009-04-25
CVE编号 CVE-2008-6703 CNNVD-ID CNNVD-200904-236
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/31998
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-236
|漏洞详情
S.T.A.L.K.E.R.是由GSCGameWorld开发的第一人称射击游戏。S.T.A.L.K.E.R.:ShadowofChernobyl函数IPureServer::_Recieve存在栈缓冲区溢出漏洞,如果在游戏中接收到了以0x39字节开始的报文,就会使用MultipacketReciever::RecievePacket函数。该函数取入站报文中所指定的16位数字作为所要拷贝的字节数,报文中的数据作为源数据,并使用8k字节的栈缓冲区作为拷贝目标。S.T.A.L.K.E.R.中的每个UDP报文最大大小为1472字节,但通过游戏中所实现的LZO压缩,就可以在报文中放置32k字节的数据,这就可能在上述拷贝操作中触发栈溢出。
|漏洞EXP
source: http://www.securityfocus.com/bid/29997/info

S.T.A.L.K.E.R is prone to multiple remote vulnerabilities:

- A stack-based buffer-overflow vulnerability
- An integer-overflow vulnerability
- A denial-of-service vulnerability

An attacker can exploit these issues to execute arbitrary code within the context of the affected application or crash the application, denying service to legitimate users.

S.T.A.L.K.E.R Shadow of Chernobyl 1.0006 is vulnerable; other versions may also be affected.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/31998.zip
|参考资料

来源:XF
名称:stalker-multipacketreceiver-bo(43454)
链接:http://xforce.iss.net/xforce/xfdb/43454
来源:BID
名称:29997
链接:http://www.securityfocus.com/bid/29997
来源:BUGTRAQ
名称:20080628MultiplevulnerabilitiesinS.T.A.L.K.E.R.1.0006
链接:http://www.securityfocus.com/archive/1/493765
来源:SECUNIA
名称:30891
链接:http://secunia.com/advisories/30891
来源:OSVDB
名称:46626
链接:http://osvdb.org/46626
来源:MISC
链接:http://aluigi.altervista.org/adv/stalker39x-adv.txt