Jump to content

Home

Remote Buffer Overflow in JO


lordvader

Recommended Posts

I was testing JO for security a bit, and found its server module has an unchecked buffer. Basically what this means is information can be sent to the server, and if the size of the data is larger than that of the receiving buffer, remote code can be inserted and executed. If done properly, it can lead to a 100% compromise of the target system. Unfortunately, it seems I was not the first to discover this. Upon further probing, I found a cracker named sloof used a modified version of the LIRPA routing protocol to inject this code in Raven's master servers. Basically, anyone who's so much as listed servers in the past day has been automatically compromised, and a virus has been installed on their system. This virus, named FFC.Win32, affects all Windows operating systems. It spreads in two ways. First of all, it searches for mIRC. If it exists, it inserts code such that whenever a person joins a chat room in which the compromised client is, the compromised client will request a DCC transfer of a file which claims to be a Jedi Outcast mod, but is actually the virus. It will also infect the compromised client's Jedi Outcast server so that everyone who connects to it will also be infected. It will not be detected by virus scanners. To check for the virus:

Go into your Jedi Outcast directory. Go into GameData. If the file "FFC10.dll" exists, you are infected. Do not delete this file, the virus stays resident in memory and in various other places, and in basically every case will zero out every bit on your hard drive, effectively destroying all data even beyond the level of a format. So once again, do not attempt to fix it yourself, deleting the dll will only make things worse. I'm not yet sure of how to disinfect yourself, McAfee, Norton, and all other makers of antivirus software have not yet updated their software as this virus is new.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...