[NT] Doom 3 Engine Through PB Format String
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 8 Oct 2007 20:08:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Doom 3 Engine Through PB Format String
------------------------------------------------------------------------
SUMMARY
The Doom 3 engine (formerly known as
<http://en.wikipedia.org/wiki/Id_Tech_4> id Tech 4) is the latest version
of the famous game engine developed by <http://www.idsoftware.com> ID
Software. A format string vulnerability exists in Doom 3 engine.
DETAILS
The function which visualizes the strings on the game's console is
vulnerable to a format string vulnerability, something similar to
snprintf(buff, 1024, string);
Usually this is not a problem since the engine uses some functions and
tricks to avoid the visualization of the % char like dropping it or
inserting a space between it and the subsequent char.
But there is a way for bypassing this limitation with also the better
advantages of doing it anonymously and with only one single spoofable UDP
packet: Punkbuster.
When Punkbuster is active on a server (practically almost all the public
servers) it visualizes the content of some incoming packets using the
game's console.
The Punkbuster packets needed for forcing the visualization of a custom
string in the console are PB_Y (YPG server) and PB_U (UCON), while in the
past was ok to use PB_P too which has been recently made no longer verbose
probably due to its abusing attempted by people for spamming servers
(which is naturally still possible with the above packets).
As already said this is a bug in the Doom 3 engine and affects both
dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is
used only as a "way" for reaching a zone of the code otherwise
unexploitable.
Proof of concept:
<http://aluigi.org/poc/d3engfspb.zip> http://aluigi.org/poc/d3engfspb.zip
Vendor Status:
No fix from the vendor.
Punkbuster has released a new version of the anti-cheat which filters the
% char passed to the vulnerable function used in the Doom 3 engine for
visualizing the strings in the console. This prevents the exploitation of
the bug via Punkbuster.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.org/adv/d3engfspb-adv.txt>
http://aluigi.org/adv/d3engfspb-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Ruby Net::HTTPS Library Insufficent Validation of Server Certificate CN
- Next by Date: [UNIX] Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
- Previous by thread: [UNIX] Ruby Net::HTTPS Library Insufficent Validation of Server Certificate CN
- Next by thread: [UNIX] Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability
- Index(es):
Relevant Pages
|
