| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050825194048.7709.qmail@securityfocus.com> Date: 25 Aug 2005 19:40:48 -0000 From: nukemmeister@...il.com To: bugtraq@...urityfocus.com Subject: Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln? Well I ran quake 2 (using Lithium mod V 1.24) under OllyDBG and it seems that the lithium II mod for quake 2 (latest PATCH 3.20) is parsing the '%' in nicks. My well crafted nickname '%999f%f%f%f%f' is being pushed onto the stack as 004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ; ASCII "0.000000 0.000000 0.000000" A huge real number. This expansion seems to be causing a stack overflow. I ran it on my test server and sure enough it crashes. I'm currently working on code executing and the ability to read any memory address. I contacted the creator of Lithium mod II , he still hasn't returned my emails. I found that any 'percent' in the nick is interpreted as 0.0000 you can use various combo's such as %d for int %c for a char. This is telling me that it's a format string vulnerability. This only works on lithium quake 2 server. It's manifested in the latest release V 1.24. Probably affects prior versions also. I am currently Reverse Engineering the mod to Get more info on this. Probably gonna take a while cause I'm at my mom's house with 8 people and one computer ;p The vuln lies in the code that updates the score (frags) when you die, the overflow will manifest. I will write a more detailed explanation on this after I finish RE'ing it. Regards, SinNULL More info on the vuln will be posted shortly. When I find some allocated time to work with.
Powered by blists - more mailing lists