[NT] Doom 3 Engine Through PB Format String



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Doom 3 Engine Through PB Format String
------------------------------------------------------------------------


SUMMARY

The Doom 3 engine (formerly known as
<http://en.wikipedia.org/wiki/Id_Tech_4> id Tech 4) is the latest version
of the famous game engine developed by <http://www.idsoftware.com> ID
Software. A format string vulnerability exists in Doom 3 engine.

DETAILS

The function which visualizes the strings on the game's console is
vulnerable to a format string vulnerability, something similar to
snprintf(buff, 1024, string);

Usually this is not a problem since the engine uses some functions and
tricks to avoid the visualization of the % char like dropping it or
inserting a space between it and the subsequent char.

But there is a way for bypassing this limitation with also the better
advantages of doing it anonymously and with only one single spoofable UDP
packet: Punkbuster.

When Punkbuster is active on a server (practically almost all the public
servers) it visualizes the content of some incoming packets using the
game's console.
The Punkbuster packets needed for forcing the visualization of a custom
string in the console are PB_Y (YPG server) and PB_U (UCON), while in the
past was ok to use PB_P too which has been recently made no longer verbose
probably due to its abusing attempted by people for spamming servers
(which is naturally still possible with the above packets).

As already said this is a bug in the Doom 3 engine and affects both
dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is
used only as a "way" for reaching a zone of the code otherwise
unexploitable.

Proof of concept:
<http://aluigi.org/poc/d3engfspb.zip> http://aluigi.org/poc/d3engfspb.zip

Vendor Status:
No fix from the vendor.

Punkbuster has released a new version of the anti-cheat which filters the
% char passed to the vulnerable function used in the Doom 3 engine for
visualizing the strings in the console. This prevents the exploitation of
the bug via Punkbuster.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.org/adv/d3engfspb-adv.txt>
http://aluigi.org/adv/d3engfspb-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Ipswitch Multiple Vulnerabilities (IMail IMAP LIST Command DoS, Collaboration Suite SMTP Format
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ipswitch Multiple Vulnerabilities (IMail IMAP LIST Command DoS, ... Collaboration Suite SMTP Format String) ... Remote exploitation of a denial of service vulnerability in Ipswitch ...
    (Securiteam)
  • [UNIX] TikiWiki PHP Code Evaluation Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... TikiWiki PHP Code Evaluation Vulnerability ... ' - String delimiter ...
    (Securiteam)
  • [NEWS] Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability ... The engine is licensed to several of Trend Micro's OEM partners. ...
    (Securiteam)
  • [UNIX] MySQL Authentication Scheme Bypass
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By submitting a carefully crafted authentication packet, ... the user has specified a 'scrambled' string that is as long ... stack-based buffer 'buff' can be overflowed by a long 'scramble' string. ...
    (Securiteam)
  • [NT] WebArchiveX Unsafe Methods Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... String userAgent, ... scripting' entry, but unfortunately has not changed the version number. ...
    (Securiteam)