####################################################################### Luigi Auriemma Application: Orbz http://www.21-6.com/orbz.asp Versions: <= 2.10 Platforms: Windows, Linux and Mac Bug: buffer-overflow Exploitation: remote, versus server Date: 29 November 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### =============== 1) Introduction =============== Orbz is a nice game developed by 21-6 Productions (http://www.21-6.com) and released at December 2002. ====== 2) Bug ====== Exists a buffer-overflow in the password field of the join packet, this bug can be exploited versus both protected servers and not. =========== 3) The Code =========== http://aluigi.altervista.org/poc/orbzbof.zip ====== 4) Fix ====== No fix. The developers are still "reviewing" my bug report from 20 days... no comment. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3.
Sent an email upstream to verify that the demo is in fact vulnerable, and if they are going to release a patch.
Still no response from upstream. CC'ing games herd to see if anyone can verify this.
<upstream> Luke - Thanks for the mail. We have been alerted to the supposed vulnerability but have yet to confirm it. A new version of Orbz is coming out in January so if there is a problem it will surely be fixed in that release. I'll keep you informed. Thanks, Justin </upstream> Upstream can't even confirm this issue. It looks like we're gonna have to sit on this until January.
Actually, I was planning on testing this in the next couple of days (if one of the other games guys doesn't beat me to it) to verify the validity of the exploit. If it works, then we will be package.mask'ing the package immediately, unless a fix or workaround can be brought to light at that time. Now, it might mean it sits in p.mask until tthe newer version comes out, but we're OK with that.
Chris, did you ever get a chance to test this out?
I did not have a chance to check it out before I went on vacation. Perhaps one of the other games developers has gotten to it? If not, then I'll add it back to my TODO list at the top, since this is a security issue.
negative, i added this bug to my internal ignore list after you said you'd poke at it ;)
Games team: please test and report if we are vulnerable to this. If you can't we'll probably mask it by precaution.
We are vulnerable to the given exploit. I emerged the game and started a dedicated server using the "orbzdedicated" script. Using the exploit causes a buffer overflow and closes the server. Btw, here is another link to the code, the one given above seems to be down: http://packetstorm.linuxsecurity.com/filedesc/orbzbof.zip.html
ive removed the game from portage, not a big deal for the games team to keep it
Hmm theorically we should issue a GLSA about this... but I don't think this is worth it.
I agree on no GLSA.
Closing without GLSA. ...i liked this game *tear*.
Really closing