CVE-2007-4531

Vulnerability

Soldat game server version 1.4.2 and earlier, and dedicated server version 2.6.2 and earlier, contain multiple denial-of-service vulnerabilities. The bugs are triggered via the file transfer port or chat messages. Specifically, a long string (exceeding approximately 512 bytes) sent to the file transfer port or as a chat message causes a client crash. Additionally, a string containing many 0x07 (bell) or other control characters sent to the file transfer port causes the server to emit a continuous beep and experience slowdown. These issues are described in the advisory by Luigi Auriemma [1].

Exploitation

An attacker can exploit these vulnerabilities remotely without authentication. For client crashes, the attacker sends a long string (greater than 512 bytes) to the file transfer port or as a chat message. Any client viewing the message will crash. For server denial of service, the attacker sends a string containing numerous 0x07 characters to the file transfer port. The dedicated server on Linux is not affected by the server DoS because it lacks a sound system [1].

Impact

Successful exploitation results in denial of service. Clients crash when viewing long strings, preventing them from playing. The server can be slowed down and emit a continuous beep, disrupting gameplay. No code execution or data compromise is achieved; the impact is limited to availability.

Mitigation

No official fix was confirmed in the provided references. Users should upgrade to the latest version of Soldat if available. As a workaround, administrators can restrict access to the file transfer port or limit the length of chat messages. The vulnerabilities were disclosed in August 2007 [1].