lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071001213132.f0f3e568.aluigi@autistici.org>
Date: Mon, 1 Oct 2007 21:31:32 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Format string in the Doom 3 engine through PB


#######################################################################

                             Luigi Auriemma

Application:  Doom 3 engine
Games:        Doom 3     (http://www.doom3.com)                <= 1.3.1
              Quake 4    (http://www.quake4game.com)           <= 1.4.2
              Prey       (http://www.prey.com)                   <= 1.3
              Enemy Territory: Quake Wars                NOT VULNERABLE
Platforms:    Windows, Linux and Mac
Bug:          format string
Exploitation: remote, versus servers with Punkbuster enabled
Date:         01 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Doom 3 engine (formerly known as id Tech 4) is the latest version
of the famous game engine developed by ID Software
(http://www.idsoftware.com) and used in some recent games:

  http://en.wikipedia.org/wiki/Id_Tech_4


#######################################################################

======
2) Bug
======


The function which visualizes the strings on the game's console is
vulnerable to a format string vulnerability, something similar to
snprintf(buff, 1024, string);
Usually this is not a problem since the engine uses some functions and
tricks to avoid the visualization of the % char like dropping it or
inserting a space between it and the subsequent char.

But there is a way for bypassing this limitation with also the better
advantages of doing it anonymously and with only one single spoofable
UDP packet: Punkbuster.

When Punkbuster is active on a server (practically almost all the
public servers) it visualizes the content of some incoming packets
using the game's console.
The Punkbuster packets needed for forcing the visualization of a custom
string in the console are PB_Y (YPG server) and PB_U (UCON), while in
the past was ok to use PB_P too which has been recently made no longer
verbose probably due to its abusing attempted by people for spamming
servers (which is naturally still possible with the above packets).

As already said this is a bug in the Doom 3 engine and affects both
dedicated and non-dedicated servers, so NOT a Punkbuster's bug which
is used only as a "way" for reaching a zone of the code otherwise
unexploitable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/d3engfspb.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ