[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050402184922.2a1cb0aa.aluigi@autistici.org>
Date: Sat, 2 Apr 2005 18:49:22 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
vuln@...unia.com, red@...sec.de
Subject: In-game server crash in Call of Duty 1.5b and United Offensive
1.51b
#######################################################################
Luigi Auriemma
Applications: Call of Duty <= 1.5b
Call of Duty: United Offensive <= 1.51b
http://www.callofduty.com
Platforms: Windows only (Linux is safe and Mac has not been tested)
Bug: crash
Exploitation: remote, versus server (in-game)
Date: 02 Apr 2005
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Call of Duty and its expansion pack United Offensive are the famous
military FPS games developed by Infinity Ward
(http://www.infinityward.com) and Gray Matter Studios
(http://www.gmistudios.com).
The games have been released respectively in October 2003 and September
2004.
#######################################################################
======
2) Bug
======
The game server is affected by a problem in the building of the
commands to visualize the clients messages.
If the message is too long and the generated command is longer than
1024 chars the server shows the dialog box of the exception handler
with a warning about a possible buffer-overflow and naturally the match
terminates.
In reality the bug doesn't seem to be a real buffer-overflow but I have
not deeply debugged the problem.
This is an in-game bug so the attacker must have access to the server,
if it's protected by password he must know the keyword and then his
cd-key can be banned since CoD servers use the online authorization.
#######################################################################
===========
3) The Code
===========
- download the following file:
http://aluigi.altervista.org/poc/codmsgboom.cfg
- place it in the base folder of the game: main or uo
- start a client and a server
- join the server
- go into the client console (~ key)
- type: /exec codmsgboom
- the server will crash showing an error
#######################################################################
======
4) Fix
======
No fix.
Developers have not been contacted since already exists another
unpatched bug from over one month (infostring overflow) and is more
easy to exploit than this Windows-only problem where attackers can be
banned and tracked.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists