lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Oct 2007 21:31:43 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Format string in F.E.A.R. 1.08 through PB


#######################################################################

                             Luigi Auriemma

Application:  F.E.A.R. (First Encounter Assault Recon)
              http://www.whatisfear.com
Versions:     <= 1.08
Platforms:    Windows and Linux
Bug:          format string
Exploitation: remote, versus server with Punkbuster enabled
Date:         01 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


F.E.A.R. is the most recent FPS game developed by Monolith
(http://www.lith.com).


#######################################################################

======
2) Bug
======


This bug is nothing new moreover considering that it's public from the
far 2004 when this game was still a beta:

  http://aluigi.org/adv/lithfs-adv.txt

What changes this time is the type of exploitation and the derived
advantages since now the attack is completely anonymous from outside
the server using only one UDP packet.

When Punkbuster is enabled on a server (true for many public servers)
it visualizes the content of some incoming packets using the game's
console.
The Punkbuster packets needed for forcing the visualization of a custom
string in the console are PB_Y (YPG server) and PB_U (UCON), while in
the past was ok to use PB_P too which has been recently made no longer
verbose probably due to its abusing attempted by people for spamming
servers (which is naturally still possible with the above packets).

As already said this is a bug in the Lithtech engine and NOT in
Punkbuster which is used only as a "way" for exploiting it.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/fearfspb.zip


#######################################################################

======
4) Fix
======


No fix.
The bug has been never "really" patched although it's public from 3
years.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists