lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070905232457.ac49c6c0.aluigi@autistici.org>
Date: Wed, 5 Sep 2007 23:24:57 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Format string and clients disconnection in Alien Arena 2007 6.10


#######################################################################

                             Luigi Auriemma

Application:  Alien Arena 2007
              http://red.planetarena.org
Versions:     <= 6.10 and current SVN
Platforms:    Windows and Linux
Bugs:         A] in-game format string in safe_bprintf
              B] clients disconnection through spoofed client_connect
Exploitation: A] remote versus server
              B] remote versus clients
Date:         05 Sep 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Alien Arena 2007 is an open source FPS game developed by COR
Entertainment (alias John "Irritant" Diamond) and based on the GPL code
of the Quake 2 engine.


#######################################################################

=======
2) Bugs
=======

----------------------------------------
A] in-game format string in safe_bprintf
----------------------------------------

A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument.
The bug can be exploited in-game (so with the usual possible password
and banning limitations) using a malformed nickname:

from game/acesrc/acebot_cmds.c:

void safe_bprintf (int printlevel, char *fmt, ...)
{
    int i;
    char    bigbuffer[0x10000];
    int     len;
    va_list     argptr;
    edict_t *cl_ent;

    va_start (argptr,fmt);
    len = vsprintf (bigbuffer,fmt,argptr);
    va_end (argptr);

    if (dedicated->value)
        gi.cprintf(NULL, printlevel, bigbuffer);

    for (i=0 ; i<maxclients->value ; i++)
    {
        cl_ent = g_edicts + 1 + i;
        if (!cl_ent->inuse || cl_ent->is_bot)
            continue;

        gi.cprintf(cl_ent, printlevel, bigbuffer);
    }
}


-------------------------------------------------------
B] clients disconnection through spoofed client_connect
-------------------------------------------------------

When queried the game server returns many informations included the
list of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks
(differently to what happens with Quake 3 and the disconnect packet)
here is possible to block and disconnect all the clients which are
playing on the server simply using the "client_connect" command.

So an attacker needs only to query the server, getting the list of
IP:port of the players and sending this command to them using the IP
and the port of the server as source.
The client will be no longer able to move or send commands in the
server and after some minutes it will time out, until this moment it
cannot rejoin the same server.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/aa2k7x.zip


#######################################################################

======
4) Fix
======


No fix.
The developer has not been contacted because he is too stupid for
understanding a bug report:

  http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ