[UNIX] Alien Arena Format String and Clients Termination
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 9 Sep 2007 19:06:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Alien Arena Format String and Clients Termination
------------------------------------------------------------------------
SUMMARY
Alien Arena 2007 is "an open source FPS game developed by COR
Entertainment (alias John "Irritant" Diamond) and based on the GPL code of
the Quake 2 engine". Two vulnerabilities has been discovered in Alien
Arean FPS game.
DETAILS
Vulnerable Systems:
* Alien Arena 2007 version 6.10
In-game format string in safe_bprintf:
A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument. The bug
can be exploited in-game (so with the usual possible password and banning
limitations) using a malformed nickname:
from game/acesrc/acebot_cmds.c:
void safe_bprintf (int printlevel, char *fmt, ...)
{
int i;
char bigbuffer[0x10000];
int len;
va_list argptr;
edict_t *cl_ent;
va_start (argptr,fmt);
len = vsprintf (bigbuffer,fmt,argptr);
va_end (argptr);
if (dedicated->value)
gi.cprintf(NULL, printlevel, bigbuffer);
for (i=0 ; i<maxclients->value ; i++)
{
cl_ent = g_edicts + 1 + i;
if (!cl_ent->inuse || cl_ent->is_bot)
continue;
gi.cprintf(cl_ent, printlevel, bigbuffer);
}
}
Clients termination through spoofed client_connect:
When queried the game server returns many informations included the list
of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks (differently
to what happens with Quake 3 and the disconnect packet) here is possible
to block and disconnect all the clients which are playing on the server
simply using the "client_connect" command.
So an attacker needs only to query the server, getting the list of IP:port
of the players and sending this command to them using the IP and the port
of the server as source. The client will be no longer able to move or send
commands in the server and after some minutes it will time out, until this
moment it cannot rejoin the same server.
PoC:
<http://aluigi.org/poc/aa2k7x.zip> http://aluigi.org/poc/aa2k7x.zip
ADDITIONAL INFORMATION
The information has been provided by Luigi Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/aa2k7x-adv.txt>
http://aluigi.altervista.org/adv/aa2k7x-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [REVS] Biologger - A Biometric Keylogger
- Next by Date: [NT] Trend Micro ServerProtect Stack Overflow Vulnerabilities
- Previous by thread: [REVS] Biologger - A Biometric Keylogger
- Next by thread: [NT] Trend Micro ServerProtect Stack Overflow Vulnerabilities
- Index(es):
Relevant Pages
|
|
