lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Apr 2005 18:49:22 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, red@...sec.de
Subject: In-game server crash in Call of Duty 1.5b and United Offensive
 1.51b



#######################################################################

                             Luigi Auriemma

Applications: Call of Duty                     <= 1.5b
              Call of Duty: United Offensive   <= 1.51b
              http://www.callofduty.com
Platforms:    Windows only (Linux is safe and Mac has not been tested)
Bug:          crash
Exploitation: remote, versus server (in-game)
Date:         02 Apr 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Call of Duty and its expansion pack United Offensive are the famous
military FPS games developed by Infinity Ward
(http://www.infinityward.com) and Gray Matter Studios
(http://www.gmistudios.com).
The games have been released respectively in October 2003 and September
2004.


#######################################################################

======
2) Bug
======


The game server is affected by a problem in the building of the
commands to visualize the clients messages.
If the message is too long and the generated command is longer than
1024 chars the server shows the dialog box of the exception handler
with a warning about a possible buffer-overflow and naturally the match
terminates.
In reality the bug doesn't seem to be a real buffer-overflow but I have
not deeply debugged the problem.

This is an in-game bug so the attacker must have access to the server,
if it's protected by password he must know the keyword and then his
cd-key can be banned since CoD servers use the online authorization.


#######################################################################

===========
3) The Code
===========


- download the following file:
    http://aluigi.altervista.org/poc/codmsgboom.cfg
- place it in the base folder of the game: main or uo
- start a client and a server
- join the server
- go into the client console (~ key)
- type: /exec codmsgboom
- the server will crash showing an error


#######################################################################

======
4) Fix
======


No fix.

Developers have not been contacted since already exists another
unpatched bug from over one month (infostring overflow) and is more
easy to exploit than this Windows-only problem where attackers can be
banned and tracked.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists