lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080502211434.f98c4deb.aluigi@autistici.org>
Date: Fri, 2 May 2008 21:14:34 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	packet@...ketstormsecurity.org, cert@...t.org, news@...uriteam.com
Subject: Denial of Service in Call of Duty 4 1.5


#######################################################################

                             Luigi Auriemma

Application:  Call of Duty 4: Modern Warfare
              http://www.callofduty.com
Versions:     <= 1.5
Platforms:    Windows (tested) and Linux
Bug:          Denial of Service
Exploitation: remote, versus server (in-game)
Date:         02 May 2008
Thanx to:     Chronos for the additional tests
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Call of Duty 4 (CoD4) is the most recent and played game of the homonym
series created by Infinity Ward (http://www.infinityward.com) with over
15000 internet servers.


#######################################################################

======
2) Bug
======


In CoD4 has been introduced a new type of connectionless command (like
getinfo, getstatus, connect and so on) called "stats" that seems
related to player statistics and can be of 6 types which are sent by
the client in sequential order just after having joined the remote
game.

Exists an additional type (7) which is accepted by the server and if a
client uses it the remote server will crash due to a memcpy() with a
negative size value (the attacker has no control over the source data
and this value).

The stats packet requires that the client is in the server since the
qport value specified in it and both IP and port must match those used
by the player, so the attacker must know the password if the server is
protected, being not banned and moreover having a valid cdkey if the
internet server requires it.


#######################################################################

===========
3) The Code
===========


- plugin for the sudppipe proxy which modifies any stats packet
  enabling type 7:

  http://aluigi.org/mytoolz/sudppipe.zip
  http://aluigi.org/poc/cod4statz_sudp.zip

  Usage example:
    sudppipe -l cod4statz_sudp.dll SERVER PORT 20000
    then from the CoD4 client type: connect 127.0.0.1:20000

  the plugin does a very simple job, when a "stats" packet is received
  it places the 0x07 byte at offset 12.


- stand-alone proof-of-concept which works versus servers without
  authorization (like LAN servers) for quickly testing the own servers
  without the need of using a CoD4 client:

  http://aluigi.org/poc/cod4statz.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ