General Graboids reveals vulnerabilities in Command & Conquer: Generals, an online game recently made open source by EA Games. Researchers Bryan Alexander and Jordan Whitehead presented their findings at an info security conference, detailing the game’s network architecture, its vulnerabilities, and a worm they developed to illustrate the potential impacts. Despite the game's end-of-life status, community patches exist to fix some of these issues. Their research was part of a competitive event called Junkyard, which targets EoL products for showcasing security flaws. The game's source code includes various components but lacks certain proprietary elements, preventing a straightforward build. During gameplay, two UDP ports are utilized: port 8086 for lobby commands and port 8088 for game synchronization. Each packet sent over these ports follows a specific structure, including a CRC32 checksum and an XOR-encoded payload. The researchers found a significant vulnerability in the file handling commands within the net command handlers, which allows attackers to exploit a stack buffer overflow by sending malicious packets. This vulnerability can be triggered even if the attacker is not part of the game, making it a serious security concern. The specific code responsible for the vulnerability involves a loop that copies data into a fixed-size buffer. If the incoming data exceeds the buffer's capacity, it leads to memory corruption and crashes. They confirmed this issue by injecting packets during the processing loop using tools like Frida and a custom Python client. The findings underscore the risks associated with legacy games, especially when they are reopened to the public without adequate security measures.